Cross Site Scripting
Cross Site Scripting
Hi,
when I select "XSS Security" low in my application, embedding html code in formulas works fine.
The problem I see is that any text submitted to my forms will also be displayed unescaped which will allow any user of my application to do XSS attacks by submitting javascript code to a field.
The way it looks to me is, that I either resign using formulas for displaying HTML code or make my application vulnerable to XSS scripting.
What do you think about adding an option to every form element that will control escaping of HTML sequences? That way I could enable HTML code for just the formulas I need it and on the other hand the rest of my application would be safe.
Greetings, Mathias Mamsch