Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
XSS on admin login page #639
The :email and :password variables are not escaped in the Admin controller. Also GET vars can be used where only POST should be used.
might help, but I haven't tried it.
Example for this XSS (view in Firefox or Opera or IE, Webkit filters this kind of XSS):