Same as #1661. This thing is available only to administrators. This is related to the HTML Purifier settings. Administrators have more permissions than regular users.
It is needed to disable JavaScript in HTMLPurifier somehow for admins too.
<script> tags are disabled in HTMLPurifier for admins too
Creating blacklists is not best practice, you should use whitelist. For example, you disable the <script> tag, but the payload <img src=x onerror=alert(1)> will work.
For a comprehensive list, check out the DOMPurify allowlist.
Hello, we found the stored xss.
Tested on latest version 0.9.20.
Poc:
The text was updated successfully, but these errors were encountered: