Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

XSS vulnerability

estest New
edited May 2012 in Vanilla 2.0 - 2.8

I was able to insert this code into almost any field on my About Me page:

<script>alert("Hello, XSS!");</script>

The only restriction was the field length.
And the script works and displays alert. As you could know malicious person might get access to a user's session using this.

Is there a way to escape < > chars in the user input?



Sign In or Register to comment.