This repository has been archived by the owner on Nov 3, 2023. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 213
Form input placeholder value is not escaped #8505
Comments
barrystaes
changed the title
Form input placeholder value is not escaped
Form input placeholder value is not properly escaped
Sep 24, 2016
barrystaes
changed the title
Form input placeholder value is not properly escaped
Form input placeholder value is not escaped
Sep 24, 2016
Mildly interesting, but i noticed that Chrome did interpret this as such:
|
Fixed in 49d2add. |
leofeyer
added a commit
that referenced
this issue
Oct 26, 2016
jsonn
pushed a commit
to jsonn/pkgsrc
that referenced
this issue
Oct 27, 2016
### 4.2.5 (2016-10-27) * Unlock members after password change (see contao/core#8545). * Register an alias for the language fallback page model (see contao/core#8544). * Correctly calculate the maximum length of tl_files.name (see contao/core#8536). * Correctly add the headline if a content element is versionized (see contao/core#8502). * Optimize the DCA sorting filter for date fields (see contao/core#8485). * Do not show version entries of deleted files (see contao/core#8480). * Redirect the empty URL depending on language and alias name (see contao/core#8498). * Apply `specialchars()` to widget attributes (see contao/core#8505). * Queue the requests when rebuilding the search index (see contao/core#8449). * Correctly determine the form field names in the file manager (see #600). * Correctly show the maximum file size in the form upload widget (see #595). * Correctly encode e-mail addresses in the text element (see #594). * Do not parse front end templates twice (see #599). * Correctly set host and scheme in the URL generator (see #592). * Correctly reload the page and file trees in "edit multiple" mode. * Correctly normalize the paths in the symlink command.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
In Contao v3.5.16 when setting a placeholder value for a Security Question input, i noticed that it wasnt escaped properly. This results in mangled HTML or injections even.
I entered this as placeholder value:
Uw antwoord om te bevestigen dat u geen "spam bot" bent
And saw this in the HTML for visitors:
The same problem may exist for other form types, i have not tested further.
The text was updated successfully, but these errors were encountered: