<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML ><HEAD ><TITLE >Bugzilla</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK REL="HOME" TITLE="The Bugzilla Guide - 3.6.4 Release" HREF="index.html"><LINK REL="UP" TITLE="Bugzilla Security" HREF="security.html"><LINK REL="PREVIOUS" TITLE="Web server" HREF="security-webserver.html"><LINK REL="NEXT" TITLE="Using Bugzilla" HREF="using.html"></HEAD ><BODY CLASS="section" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >The Bugzilla Guide - 3.6.4 Release</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="security-webserver.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" >Chapter 4. Bugzilla Security</TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="using.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="section" ><H1 CLASS="section" ><A NAME="security-bugzilla" >4.3. Bugzilla</A ></H1 ><DIV CLASS="section" ><H2 CLASS="section" ><A NAME="security-bugzilla-charset" >4.3.1. Prevent users injecting malicious Javascript</A ></H2 ><P >If you installed Bugzilla version 2.22 or later from scratch, then the <EM >utf8</EM > parameter is switched on by default. This makes Bugzilla explicitly set the character encoding, following <A HREF="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3" TARGET="_top" >a CERT advisory</A > recommending exactly this. The following therefore does not apply to you; just keep <EM >utf8</EM > turned on. </P ><P >If you've upgraded from an older version, then it may be possible for a Bugzilla user to take advantage of character set encoding ambiguities to inject HTML into Bugzilla comments. This could include malicious scripts. This is because due to internationalization concerns, we are unable to turn the <EM >utf8</EM > parameter on by default for upgraded installations. Turning it on manually will prevent this problem. </P ></DIV ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="security-webserver.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="using.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Web server</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="security.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Using Bugzilla</TD ></TR ></TABLE ></DIV ></BODY ></HTML >