We're updating the issue view to help you get more done. 

Potential cross-site scripting (XSS) attack in providence

Description

there appears to be a cross-site scripting (XSS) attack in providence

consider:

index.php/system/Error/Show/n/2310?r=foo

the person who supplies the URL can inject arbitrary code in the r
parameter, which is then replayed verbatim to the user.

some modern browsers (e.g. recent builds of chromium) have XSS
mitigations against this sort of attack, so some users won't be directly
vulnerable, but it's still a serious risk.

i haven't checked older versions of providence to know if they're also
vulnerable. I found this while running git commit
582dca1d203241088d76d6379ccdd3c8d480d485.

Environment

None

Assignee

User known

Reporter

Daniel Kahn Gillmor

Labels

None

Components

Fix versions

Affects versions

Priority

Critical
Configure