1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed Template name is not escaped

Discussion in 'Resolved Bug Reports' started by batpool52!, Feb 17, 2015.

  1. batpool52!

    batpool52! Well-Known Member

    If you copy
    Code:
    <script>alert("meow")</script>
    and paste it in title of a template, you will get a alert which I believe should be escaped before setting the title name in tabs.
     
  2. Mike

    Mike XenForo Developer Staff Member

    This is fixed now, including a case where an error message would print it back unescaped. It doesn't appear that anything nefarious can be done though as the value can only be controlled by typing directly into the template title and the value can't actually be saved because it's not a valid template name.
     
    batpool52! likes this.

Share This Page