Forum Discussion

Contributor

5 years ago

"><img src=x onerror=alert('testing')>

Hello, If I enter alert code or any script into the subject field and after posting my message If I refresh or click on the home page then A popup is showing and says (testing) with an OK button. ...

luk

Boss

5 years ago

What Claudius said and additonally, it is also very important HOW YOU RENDER your view...are you using out of the box components, custom components or are you rendering the view directly in the frontend via JS (from the API response)? I tested the above and it was not an issue when FreeMarker was used, but when rendering directly from an API response with JS I was able to reproduce it...

(@Claudius there is actually no difference if Admin or not, the subject field of the post is NOT sanitized properly...which is an issue, the XSS is saved to the DB, the same can be done with the API...that should not be possible...)

sateesh999
Contributor
5 years ago
Thanks a lot, Claudius and luk
I will go through as per your reply and will let know If I have any queries.

Regards,
Sateesh.

Forum Discussion

"><img src=x onerror=alert('testing')>

Related Content

show only floated messages from the message list

How to prevent cross-site-scripting and XSS?

Iframe integration to quilts

test

Re: Changing the size of the tinyMCE rich text editor

Recent Discussions

Madehgshhhhhhhhhhhhhhhhhh

Connecting Khoros data to CRM (Salesforce)

API v1 docs gone since Atlas migration to Aurora

Does anyone know how to change the display title of Custom Fields in Aurora?

Can someone walk me through authenticating and using Postman with Aurora?