Opened 16 years ago
Closed 16 years ago
#1231 closed defect (fixed)
HTML.encodeTags() should not allow attributes in "safe" tags
Reported by: | Nicklas Nordborg | Owned by: | Nicklas Nordborg |
---|---|---|---|
Priority: | major | Milestone: | BASE 2.9.3 |
Component: | web | Version: | |
Keywords: | Cc: |
Description
This can be security issue that opens up for scripting attacks since it is possible to add custom javascript this way. For example:
Do NOT <b onclick="doSomethingEvil()">click here</b>.
Change History (2)
comment:1 by , 16 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 16 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
(In [4726]) Fixes #1231: HTML.encodeTags() should not allow attributes in "safe" tags