Details
-
Improvement
-
Resolution: Duplicate
-
Neutral
-
None
-
None
-
None
-
None
Description
A customer who looked deep into the Form module validation and field value submission rose this topic (SUPPORT-3873):
1. As for preventing XSS attacks in the form module all inputs are html escaped,
a similar approach should also be considered within the AdminCentral forms. In the AdminCentral all form fields are open to XSS attacks.
It would be favorable, it the used solution would be aligned/comparable to the (new) implementation used in the form module.
2. Which leads to the second points:
He suggests to rethink the XSS html escaping implementation currently used in the form module. It might not be the best way to prevent such attacks.
As this topic is involving two modules, I created it here in the UI section (point 1 seems more important).
Checklists
Attachments
Issue Links
- duplicates
-
MGNLFORM-236 Html escaping of form fields should be configurable
-
- Closed
-