3406: output json without html entity escape in script tag

uchi*****@gmai***** (Google Code) (Is this you? Claim this profile.)
chipx86
chipx86
June 7, 2014
What version are you running?


What's the URL of the page containing the problem?
https://reviews.reviewboard.org/r/5570/diff/

What steps will reproduce the problem?
1. The name change to "</script><script>alert</scritp>".
2. Add comment for review diff.
3. When view diff, pop up alert.

What is the expected output? What do you see instead?


What operating system are you using? What browser?


Please provide any additional information below.

`{"name": "</script><script> alert(1)</script>"}` is valid josn.
But it output into script tag
```
<script>
var json = {"name": "</script><script> alert(1)</script>"};
</script>
```

same this
```
<script>
var json = {"name": "
</script>

<script> alert(1)</script>

"};</script>
```

https://code.google.com/p/reviewboard/source/browse/trunk/reviewboard/reviews/templatetags/reviewtags.py#154
https://code.google.com/p/reviewboard/source/browse/trunk/reviewboard/reviews/templatetags/reviewtags.py#202

I think the characters &, < and > should be escaped in result from simplejson.dumps, or use JSONEncoderForHTML.
https://github.com/simplejson/simplejson/blob/master/simplejson/encoder.py#L353
chipx86
#1 chipx86
Thanks for the report. In the future, so that we can address these issues before they go public, can you post to security@reviewboard.org?
  • +Started
  • +chipx86
chipx86
#2 chipx86
Can you e-mail us privately with a name we can use for crediting the find?
chipx86
#3 chipx86
Fixed in today's Djblets releases.
  • -Started
    +Fixed
#4 uchi*****@gmai***** (Google Code) (Is this you? Claim this profile.)
Thank for the fixed.

> In the future, so that we can address these issues before they go public, can you post to security@reviewboard.org?

Sorry. I do so from next.