There is an XSS exploit in RC1 in the descriptions textarea for
products, invoices and sales orders at least, it also works in the
mailing street field area and allows me to pull global variables (which
are many). It does _not_ work in the terms and conditions textarea,
that area correctly strips the <script> tag.
Should we still allow other HTML in these descriptions areas? I vote
yes. It works great and adds extra power for features like the joomla
products integration and it's easier to strip this out when it gets in
the way (like pdf's).
Get started with creating presentations online - http://zohoshow.com?vt