Opened 15 years ago
Closed 15 years ago
#1231 closed defect (fixed)
HTML.encodeTags() should not allow attributes in "safe" tags
| Reported by: | Nicklas Nordborg | Owned by: | Nicklas Nordborg |
|---|---|---|---|
| Priority: | major | Milestone: | BASE 2.9.3 |
| Component: | web | Version: | |
| Keywords: | Cc: |
Description
This can be security issue that opens up for scripting attacks since it is possible to add custom javascript this way. For example:
Do NOT <b onclick="doSomethingEvil()">click here</b>.
Change History (2)
comment:1 by , 15 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 15 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
(In [4726]) Fixes #1231: HTML.encodeTags() should not allow attributes in "safe" tags