-
Bug
-
Resolution: Outdated
-
Major
-
None
-
4.3.6
-
None
To reproduce this incorrect behaviour:
- Choose any textual / HTML property in AdminCentral.
- Double-click on its value.
- If it does not contain any HTML yet, put some tag (like '<i>...</i>') around a word.
- Either click on some other entry or press the Enter key to store the new value.
Result: The new value will be rendered as HTML, e.g. the <i>word</i> will be italicized. (This is a mild case of cross-site scripting / XSS.)
Expected: The new value should be shown as plain text.
Possible reason: The value is not HTML escaped at some point or is escaped at the wrong point.
Acceptance criteria
- caused by
-
MAGNOLIA-3205 Full name column in user tree renders full html
- Closed
- is related to
-
MAGNOLIA-1897 HTML Tags in Page Titles Should Be Escaped in Admin Interface
- Closed