Hey all, another small bug in the new HTML5 client for you ...
If a user has a double quote in the name of a pool ("), it fails to load the associated tab as it does on the Flash chat. See the difference below ...
(Pool tabs working fine on Flash client)
(Two pool tabs failing to load on HTML5 client)
Luckily the failure to load the tabs doesn't seem to be caused by the quotes breaking the HTML client (so no XSS vulnerability is present), instead, it is more than likely that there is some XSS-preventative code somewhere in the JS (I don't have the patience to validate that for such a small bug).
It's obvious that all that needs to be done here is to remove double quotes from the pool names upon saving the chat settings.
Again, a very small bug that doesn't impact anyone as such, but it can all be used to iron out bugs in the HTML5 chat as development progresses.
This bug does have the funny effect of being able to 'lock' someone into a pool though, since if the double quote is in the main pool name, there's no way to return to it.
Thanks
Recommended Comments