Page MenuHomePhabricator

Quotation marks break the edit auction form
Open, HighPublic

Description

On YCH, editing an auction with quotation marks in the title breaks the input and truncates the title.
I suspect the system is therefore vulnerable to a mild XSS vector here (considering it requires the user themselves to create the auction)

Event Timeline

cesar triaged this task as High priority.May 10 2020, 8:32 AM
cesar created this task.
cesar created this object with visibility "Public (No Login Required)".