From 02aa6ce0a7cd9ef14079a5ee22c175ff9d16ed58 Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Tue, 8 Mar 2016 14:26:33 +0000 Subject: Bug 1252445 - Tracking flags configuration is vulnerable to CSRF and causes persistent XSS --- extensions/BugModal/template/en/default/bug_modal/header.html.tmpl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'extensions/BugModal/template/en') diff --git a/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl b/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl index f70e77bb1..84efbd077 100644 --- a/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl +++ b/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl @@ -77,7 +77,8 @@ [%# add tracking flags json if available %] [% IF tracking_flags %] [% javascript_urls.push("extensions/TrackingFlags/web/js/tracking_flags.js") %] - TrackingFlags = [% tracking_flags_json FILTER none %]; + var tracking_flags_str = "[% tracking_flags_json FILTER js %]"; + var TrackingFlags = $.parseJSON(tracking_flags_str); [% END %] [%# update last-visited %] -- cgit v1.2.3-24-g4f1b