Hello,
If I enter alert code or any script into the subject field and after posting my message If I refresh or click on the home page then A popup is showing and says (testing) with an OK button.
Please let me know How can I disable this popup?
Thanks,
Sateesh.
Hi Sateesh,
Are you an admin in your community? Your permissions are then probably overriding the content filters. Normal users posting active script elements in the subject or body should see any active content getting removed.
Hi
Claudius ,
Thanks for your reply.
I am not an admin, But If any other user injects the script into the subject area then the popup box is appearing on the page. It's a security issue.
As per your message we need to check with the content filters right?
Thanks.
Sateesh.
Yes, I suggest you work directly with the community team in your community to raise this issue and have it investigated.
It's also important to mention whether you are using the community message editor to post this subject or if you are using the API the get it posted. There are different filters and checks applied for each. Most important is your permission set tied to your role though.
What Claudius said and additonally, it is also very important HOW YOU RENDER your view...are you using out of the box components, custom components or are you rendering the view directly in the frontend via JS (from the API response)? I tested the above and it was not an issue when FreeMarker was used, but when rendering directly from an API response with JS I was able to reproduce it...
(@Claudius there is actually no difference if Admin or not, the subject field of the post is NOT sanitized properly...which is an issue, the XSS is saved to the DB, the same can be done with the API...that should not be possible...)
