Forum Discussion

Contributor

6 years ago

"><img src=x onerror=alert('testing')>

Hello, If I enter alert code or any script into the subject field and after posting my message If I refresh or click on the home page then A popup is showing and says (testing) with an OK button. ...

luk

Boss

6 years ago

What Claudius said and additonally, it is also very important HOW YOU RENDER your view...are you using out of the box components, custom components or are you rendering the view directly in the frontend via JS (from the API response)? I tested the above and it was not an issue when FreeMarker was used, but when rendering directly from an API response with JS I was able to reproduce it...

(@Claudius there is actually no difference if Admin or not, the subject field of the post is NOT sanitized properly...which is an issue, the XSS is saved to the DB, the same can be done with the API...that should not be possible...)

sateesh999
Contributor
6 years ago
Thanks a lot, Claudius and luk
I will go through as per your reply and will let know If I have any queries.

Regards,
Sateesh.

Forum Discussion

"><img src=x onerror=alert('testing')>

Related Content

Re: Handlebars Context Objects

show only floated messages from the message list

How to prevent cross-site-scripting and XSS?

Iframe integration to quilts

test

Recent Discussions

Join node/group 301 API error

liqlAdmin in khoros aurora graphql API

How do I get the article ID in Freemarker in a TkbArticle?

How to retrieve "Internal reason for ban" field

Tips on keeping stage and prod in alignment?