-
Notifications
You must be signed in to change notification settings - Fork 37
demos contain cross site scripting #5
Comments
All the online demos are very simple, but you can update it for strip all HTML/XML scripts. The online chat demo (http://brookframework.org/demos/others/chat/cgi1.fbf) don't allow HTML/XML scripts, please test it. Can you open a pull request with updated demos? We would be very grateful! :) ps. In chat demo I used the |
I'll require some time to learn the code, and I'll for the project and add it :) |
I fully agree. :) Please feel free to implement it. |
Fixed (47e1455). Please test it and close if OK. ;) Thank you! :) ps. I'll update online demos as soon. |
Obrigado, You do not have to strip HTML elements, just escape them :) |
When adding to input html/xml code (such as ), it does not escape the code, and embed it inside as it was a javascript code.
I expect any input to have been escaped to the literal representer with HTML, unless it was configured to that specific location to keep it "as-is".
The text was updated successfully, but these errors were encountered: