Skip to content

HTML Injection not filtered correctly #4291

Closed
@naxonez

Description

Hi,

You have a html injection in field "url" from the external calendar. You only need to edit the url parameter like: http://">< h1>injection< /h1> to see the html injection.

Regards

untitled

I see others fields like the bank name that is suceptible to html injection because all fields are not correctly parsed to avoid this issue:

image

Metadata

Assignees

Labels

Priority - High / BlockingThis is a security hole or a bug that make a feature not possible to use or very expected feature.Priority - SecurityThis is a bug identified as a security bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions