ac029d0a50
Summary: Via HackerOne. We aren't correctly escaping the date, so a user can XSS themselves by setting their date format creatively. This construction is very unusual and I don't think we do anything similar elsewhere, so I can't come up with a systematic change which would prevent this in the general case. Test Plan: Set date format to tag junk, got self-XSS before patch and proper escaping after the patch. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D12117
4.5 KiB
4.5 KiB