Log Message: |
Applied fix from trunk for revision: 1848441
===
Fixed: UI bug in scrum component
(OFBIZ-10676)
When editing product backlog items, inserted javascript code was
executed on the client side. The confirmational blinking of the newly
added or changed value was implemented using the .html(value) function
of jQuery. This causes the html to be interpreted and the script to be
executed. But the data is stored, converting it into html, so not
considered to be a vulnerability.
The fix changes the call to .text. This prevents the html to be
interpreted.
Thanks Benjamin Jugl for providing the patch.
|