XSS in RC1

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

XSS in RC1

Matthew Brichacek
There is an XSS exploit in RC1 in the descriptions textarea for
products, invoices and sales orders at least, it also works in the
mailing street field area and allows me to pull global variables (which
are many).  It does _not_ work in the terms and conditions textarea,
that area correctly strips the <script> tag.

Should we still allow other HTML in these descriptions areas?  I vote
yes.  It works great and adds extra power for features like the joomla
products integration and it's easier to strip this out when it gets in
the way (like pdf's).

Matt

_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt