-
Bug
-
Resolution: Fixed
-
Critical
-
None
-
-
Empty show more show less
Currently it is possible to inject HTML directly into the Public User Realm via form fields in the default registration form paragraph stkPURRegistrationForm.
Steps to reproduce locally:
- Open a browser and navigate to http://localhost:8080/magnoliaPublic/demo-project/members-area/registration.html
- In the Username field, enter myusername
- In the Password and Password confirmation fields, enter mypassword
- In the Full name field, enter My Full Name <button type="submit">Submit</button>
- In the Email field, enter your email address # Click the REGISTER button
- Log into AdminCentral on your local public instance: http://localhost:8080/magnoliaPublic/.magnolia
- Navigate to Security -> Public Users -> m -> my -> myusername
- Notice the value in the Full name column is My Fullname (submit button rendered)
Please let me know if you have any questions.
Thanks,
Matt
Acceptance criteria
- is related to
-
MGNLPUR-44 use NoHTMLValidator at UsernameValidator
- Closed
-
MGNLFORM-46 add no-html validator to prevent html injection to field
- Closed