This project is read-only.
2
Vote

XSS Vulnerability

description

The Back Office Dashboard and the comments list are both vulnerable to injected javascript. The input needs to be encoded before it's written to the page, will submit a patch shortly.

comments

relaxt wrote May 15, 2012 at 3:06 PM

usercontrols/ucomment/ucommentmoderation.ascx - line 98 - 111:
<div class="comment-data"> <p class="comment-author"> <strong><%# System.Web.HttpUtility.HtmlEncode(Eval("name").ToString()) %></strong> <br/> <a href='mailto:<%# System.Web.HttpUtility.HtmlEncode(Eval("email").ToString()) %>'><%# System.Web.HttpUtility.HtmlEncode(Eval("email").ToString()) %></a> </p> <p> <%# System.Web.HttpUtility.HtmlEncode( Eval("comment").ToString().Replace("\n","<br/>")) %> </p> <p> On <%# GetPageDetails(Eval("nodeid")) %> , <%# Eval("created") %> </p> </div>

wrote May 15, 2012 at 3:40 PM

wrote Feb 13, 2013 at 4:54 AM