XSS/Link injection on grids and list boxes

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Add new password with title, tags, and/or notes as 
<script>alert('hi')</script> , then do a password search with that password as 
a result and script will execute when added to search grid.
2. Add a user or group with <script>alert('hi')</script> as the name, then 
create a permission on a password using that user or group and script will 
execute when adding to permission grid.
3. Add new user/group/template/password with <img 
src="https://ssl.gstatic.com/codesite/ph/images/defaultlogo.png"> as the name.  
Now when that user/group/template/password is a result in any list or choice 
box, or grid data, the image will get displayed.

What is the expected output? What do you see instead?
1. Any script, image, etc html should be encoded and escaped properly to not 
execute script or load images.

Oh Ext-GWT!

Original issue reported on code.google.com by joshdrum...@gmail.com on 5 Dec 2010 at 8:20

[GoogleCodeExporter]

password history grid should probably htmldecode somehow when the password cell 
is clicked to copy password value to somewhere else

Original comment by joshdrum...@gmail.com on 5 Dec 2010 at 9:46

• Changed state: Fixed

[GoogleCodeExporter]

password history grid copy feature now working perfectly as well!

Original comment by joshdrum...@gmail.com on 5 Dec 2010 at 10:06

[GoogleCodeExporter]

Original comment by joshdrum...@gmail.com on 27 Dec 2010 at 8:12

• Added labels: Milestone-Release1.0, Security