4.4. Bugzilla

4.4.1. Prevent users injecting malicious Javascript

If you installed Bugzilla version 2.22 or later from scratch, then the utf8 parameter is switched on by default. This makes Bugzilla explicitly set the character encoding, following a CERT advisory recommending exactly this. The following therefore does not apply to you; just keep utf8 turned on.

If you've upgraded from an older version, then it may be possible for a Bugzilla user to take advantage of character set encoding ambiguities to inject HTML into Bugzilla comments. This could include malicious scripts. This is because due to internationalization concerns, we are unable to turn the utf8 parameter on by default for upgraded installations. Turning it on manually will prevent this problem.