Fixed Template name is not escaped

TickTackk

TickTackk

Well-known member
If you copy
Code: 
<script>alert("meow")</script>
and paste it in title of a template, you will get a alert which I believe should be escaped before setting the title name in tabs.
 
This is fixed now, including a case where an error message would print it back unescaped. It doesn't appear that anything nefarious can be done though as the value can only be controlled by typing directly into the template title and the value can't actually be saved because it's not a valid template name.
 

Similar threads

K
Duplicate Content containing hash is not embedded
Replies
2
Views
193
Kirby
K
Stan
  • Question Question
Import from VB 4 - The table prefix or database name is not correct.
Replies
1
Views
822
MesterPerfect
MesterPerfect
X
Duplicate Style Properties are not escaped when XML files are produced
Replies
2
Views
521
Mike
Mike
K
Fixed Admin: Thread Prefix List display not escaped
Replies
2
Views
932
Kier
Kier
Mr Lucky
Fixed Upgrade doesn't correct template name in notice page criteria.
Replies
2
Views
538
Chris D
Chris D
Back
Top Bottom