4.4. Bugzilla

4.4.1. Prevent users injecting malicious Javascript

It is possible for a Bugzilla user to take advantage of character set encoding ambiguities to inject HTML into Bugzilla comments. This could include malicious scripts. Due to internationalization concerns, we are unable to incorporate by default the code changes suggested by the CERT advisory on this issue. Making the change in Example 4-4 will prevent this problem.

Example 4-4. Forcing Bugzilla to output a charset

Locate the following line in Bugzilla/CGI.pm:
and change it to: