Security Problem in Etherpad
17 views
Skip to first unread message
Pita Poison
Apr 11, 2010, 5:14:35 PM4/11/10
to EtherPad Open Source Discussion
There is a serious security problem in all etherpad versions. It
enables HTML injection into the time-slider. This allows an attacker
to execute arbitrary JavaScript on your domain.
enables HTML injection into the time-slider. This allows an attacker
to execute arbitrary JavaScript on your domain.
Please fix this bug as soon as possible!
To fix the problem tou need to change a single line in
'etherpad/src/static/js/broadcast_slider.js'. You can even do this
live, without restarting etherpad.
Change
nametd.html(author.name
|| "unnamed");
into
nametd.text(author.name
|| "unnamed");
around line 141 in the file.
You can see the needed change as a patch here ->
http://github.com/Pita/pad/commit/6f0061961975df9a0c3ebab68386d8d65b706959
Kind Regards
Reply all
Reply to author
Forward
0 new messages