https://bugzilla.novell.com/show_bug.cgi?id=450484 Summary: [RC 1.2] Some parts of installation do not escape HTML in proposals, code is then executed Product: openSUSE 11.1 Version: RC 1 Platform: Other OS/Version: Other Status: NEW Severity: Minor Priority: P5 - None Component: YaST2 AssignedTo: jsuchome@novell.com ReportedBy: locilka@novell.com QAContact: jsrain@novell.com CC: coolo@novell.com Found By: --- Created an attachment (id=256958) --> (https://bugzilla.novell.com/attachment.cgi?id=256958) Screenshot - proposal First place I found are Users in first stage. You can enter HTML as the user name and it's then processed as HTML later in proposal. Even if it doesn't make sense for users to try to self-break their system anyhow and even if HTML in user name doesn't make sense at all, it raises a question how other parts of the system are protected and thus makes the system to be seen less reliable than it actually is. Never trust user input is the rule number one ;) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.