Please upgrade here. These earlier versions are no longer being updated and have security issues.

XSS vulnerability

This discussion is related to the AboutMe addon.
estest New
edited May 2012 in Vanilla 2.0 - 2.8

I was able to insert this code into almost any field on my About Me page:

<script>alert("Hello, XSS!");</script>

The only restriction was the field length.
And the script works and displays alert. As you could know malicious person might get access to a user's session using this.

Is there a way to escape < > chars in the user input?

Tagged:

Comments

Sign In or Register to comment.