Bug 482399 – "Leave Message" function allows HTML input

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 482399 - "Leave Message" function allows HTML input


Summary:	"Leave Message" function allows HTML input


Status:	RESOLVED DUPLICATE of bug 494598

Product:	gnome-screensaver
Classification:	Deprecated
Component:	dialog
Version:	2.20.x
Hardware:	Other Linux

Importance:	Normal major
Target Milestone:	---
Assigned To:	gnome-screensaver maintainers
QA Contact:	gnome-screensaver maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2007-10-01 23:30 UTC by michael
Modified:	2007-11-09 21:49 UTC

See Also:
GNOME target:	---
GNOME version:	2.19/2.20

Description michael 2007-10-01 23:30:28 UTC

The "Leave Message" screensaver function allows someone to enter HTML, and this will be rendered as HTML when the user returns to their computer and unlocks the screen.

This could be a potential issue if future bugs are found in the HTML renderer, or could be used to construct a social engineering attack on the user (as this also allows use of the 'a' tag, and links are fully functional).

Ideally all input should be sanitised, and the < and > brackets should be escaped appropriately, so that any HTML content entered will appear in plain text, with the tags visible.

Comment 1 William Jon McCann 2007-11-09 21:49:53 UTC

Thanks for taking the time to report this bug.
This particular bug has already been reported into our bug tracking system, but we are happy to tell you that the problem has already been fixed. It should be solved in the next software version. You may want to check for a software upgrade.


*** This bug has been marked as a duplicate of 494598 ***