Loading Profile...
If someone enters Javascript in a Defect description, for example one for cross site scripting, it will be executed when loading the task board.
So entering in a description will cause a pop up to appear anytime you load the task board.
Help get this topic noticed by sharing it on
Twitter,
Facebook, or email.
Twitter,
Facebook, or email.
Javascript executes when entered in a description.
-
I can reproduce this issue by entering a script block in a non-html description field and then hovering over the work item on either board to trigger the detailed tooltip popup. The script will be executed in this context. However, it does not run automatically simply by reloading the task board. I may have missed something however. Do you have any further details you could provide us with?Comment
-
-
-
This is similar to what one of our testers put in the description field. We see the alert pop up whenever going to the task or planning boads that contain that defect.
-
-
This is pretty much the same as I have tested here and the alert only pops up when hovering over the work item title (which is still a bug). Just refreshing the board does not make it show up. Have you configured the description field to appear in one of the customizable sections? I am trying to understand why it appears all the time on your side.
-
-
I was actually able to reproduce this when I entered a bug with this title, "Urban Turtle allows xss by < script >alert('Urban Turtle Allows Cross Site Scripting')< / script >" (without the spaces in the script tags). I did not have to hover over the bug, refreshing the page makes it show:
-
EMPLOYEE
