Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

XSS vulnerability

This discussion is related to the AboutMe addon.
estest New
edited May 2012 in Vanilla 2.0 - 2.8

I was able to insert this code into almost any field on my About Me page:

<script>alert("Hello, XSS!");</script>

The only restriction was the field length.
And the script works and displays alert. As you could know malicious person might get access to a user's session using this.

Is there a way to escape < > chars in the user input?



Sign In or Register to comment.