escape_javascript potentially unsafe values in JS or HTML attributes

agileware-jp / redmine_issue_templates

Redmine Issue Template. Pull requests, reporting issues, stars and sponsoring are always welcome!

GNU General Public License v2.0

65 stars 28 forks source link

Open jkraemer opened 10 months ago

jkraemer commented 10 months ago

in particular, _template_pulldown.html.erb and _issue_select_form.html.erb allowed code injection via the tracker namem, the latter also did not escape is_triggered_by, which comes from a request parameter

jkraemer commented 8 months ago

ping?