XSS vulnerability
est
New
I was able to insert this code into almost any field on my About Me page:
<script>alert("Hello, XSS!");</script>
The only restriction was the field length.
And the script works and displays alert. As you could know malicious person might get access to a user's session using this.
Is there a way to escape < > chars in the user input?
Tagged:
0
Answers
you might want to use my plugin
http://vanillaforums.org/addon/myprofile-plugin
It automatically escapes using Gdn_Format::Text and Gdn_Format::Auto
grep is your friend.
@zodiacdm
grep is your friend.
@x00
Thanks, I've posted a report on your plugin page.