Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Admin: Escape ticket excerpt on Tickets screen to avoid XSS.
An attacker could submit the following payload via `[supportflow_submissionform]` to perform cross-site-scripting:
`<script>alert('XSS');</script>`
That attack has a CVSS score of 6.1 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Props https://hackerone.com/whitehatter for discovering and disclosing responsibly.
Fixes https://hackerone.com/reports/145091- Loading branch information