Fixed Template name is not escaped

TickTackk

TickTackk

Well-known member
If you copy
Code: 
<script>alert("meow")</script>
and paste it in title of a template, you will get a alert which I believe should be escaped before setting the title name in tabs.
 
This is fixed now, including a case where an error message would print it back unescaped. It doesn't appear that anything nefarious can be done though as the value can only be controlled by typing directly into the template title and the value can't actually be saved because it's not a valid template name.
 

Similar threads

grantus
XF 2.1 Alert is not showing
Replies
5
Views
386
grantus
grantus
JesseUCAVedYou
XF 2.2 Trigger FlashMessage Inline
Replies
2
Views
225
JesseUCAVedYou
JesseUCAVedYou
Brian Jones
Not a bug Having problem setting permissions.
Replies
1
Views
289
Brian Jones
Brian Jones
FoxSecrets
XF 2.2 How to edit info in the same page
Replies
1
Views
229
FoxSecrets
FoxSecrets
tofia
XF 2.2 Send alert without entity
Replies
0
Views
161
tofia
tofia
Top Bottom