Opened 13 years ago

Closed 13 years ago

#1231 closed defect (fixed)

HTML.encodeTags() should not allow attributes in "safe" tags

Reported by: Nicklas Nordborg Owned by: Nicklas Nordborg
Priority: major Milestone: BASE 2.9.3
Component: web Version:
Keywords: Cc:

Description

This can be security issue that opens up for scripting attacks since it is possible to add custom javascript this way. For example:

Do NOT <b onclick="doSomethingEvil()">click here</b>.

Change History (2)

comment:1 Changed 13 years ago by Nicklas Nordborg

Owner: changed from everyone to Nicklas Nordborg
Status: newassigned

comment:2 Changed 13 years ago by Nicklas Nordborg

Resolution: fixed
Status: assignedclosed

(In [4726]) Fixes #1231: HTML.encodeTags() should not allow attributes in "safe" tags

Note: See TracTickets for help on using tickets.