Live Comment Preview
[resolved] Xss in 2.0.1 (2 posts)

  1. Busindre
    Posted 3 years ago #

    Hi Brad.
    HTML tags are not stripped from the preview in field "Name" and "Web site". I think that HTML tags should not be allowed.

    Xss example: <iframe src="http://ha.ckers.org/scriptlet.html">
    Thank you.


  2. Brad Touesnard
    Plugin Author

    Posted 2 years ago #

    Before the quote appears on the site for everyone else, it is run through the usual server-side filters to strip tags and whatever else is usually done. Yes, the user could inject an iframe or whatever other HTML they like on their own screen, but it will be stripped when they submit their comment and will not show up for others. Therefore, it's not an XSS vulnerability.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Live Comment Preview
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic