Opened 8 years ago

Closed 8 years ago

#5620 closed Enhancement (fixed)

Inspector - Clickable urls in Comment field

Reported by: e-moe Owned by:
Priority: Low Milestone: 2.83
Component: Web Client Version: 2.82
Severity: Trivial Keywords:
Cc:

Description

Often in comment field torrent's contain urls. Using this patch you can display this links as active (clickable) urls, not just plain text.

Attachments (4)

inspector.js.patch (348 bytes) - added by e-moe 8 years ago.
/web/javascript/inspector.js.patch
inspector.js.diff (698 bytes) - added by e-moe 8 years ago.
unified diff patch
dom-comment-xss-retest.torrent (359 bytes) - added by cfpp2p 8 years ago.
xss vulnerability
inspector.js.v2.patch (776 bytes) - added by e-moe 8 years ago.
XSS fixed inspector.js.v2.patch

Download all attachments as: .zip

Change History (15)

Changed 8 years ago by e-moe

/web/javascript/inspector.js.patch

comment:1 Changed 8 years ago by mike.dld

Could you please attach unified diff?

comment:2 Changed 8 years ago by mike.dld

Conflicts with dmitriy's patch in #5385, but here is a better place for such change.

Changed 8 years ago by e-moe

unified diff patch

comment:3 Changed 8 years ago by e-moe

  • Severity changed from Normal to Trivial

comment:4 Changed 8 years ago by e-moe

Unified diff attached. Waiting for moderator approvement.

Changed 8 years ago by cfpp2p

xss vulnerability

comment:5 Changed 8 years ago by cfpp2p

e-moe patch opens up a major cross-site scripting security vulnerability. Attached is test torrent that proved the vulnerability when tested with trunk web client with patch applied.

http://transmissionbt.net/xss.JPG

To test -- add the torrent, open the inspector, and move the mouse over the lower/bottom "Mouse Over This" of the comment field.

comment:6 Changed 8 years ago by e-moe

cfpp2p, thanks! See my new updated patch..

comment:7 Changed 8 years ago by livings124

e-moe: can you re-upload the file with a different name. Trac is weird like that.

Changed 8 years ago by e-moe

XSS fixed inspector.js.v2.patch

comment:8 Changed 8 years ago by e-moe

livings124, done.

comment:9 Changed 8 years ago by jordan

  • Milestone changed from None Set to 2.83

e-moe, thanks for the patch. I've added v2 to trunk in r14258 for 2.83.

cfpp2p, are you happy with the v2 patch?

comment:10 Changed 8 years ago by cfpp2p

cfpp2p, are you happy with the v2 patch?

looks good...

;) :)

comment:11 Changed 8 years ago by jordan

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.