Details

    • Type: Bug
    • Status: Open
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      User Input in Jounal Article Editing Text-Fields etc. is currently NOT escaped.

      This allows editors to inject (harmful) code, i.e. going against CI defined by template, destroying whole site layout/design or even more evil things like injecting XSS Code.

      In my opinion it's absolutly necessary to escape user input here - maybe expect Text Areas with WYSIWYG Editor, which allows HTML Code explicitly.

      Injecting HTML Code is definitively possible and I promise that this works for SQL-Injections, too.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: