Cross Site Scripting possible even with XSS Security High

Cross Site Scripting possible even with XSS Security High

Hi,

i just discovered that the Image and probably the URL fields are vulnerable to a cross site scripting attack - even when XSS Security is set to High.

Just submit the following value to the URL field of an Image field in a form:

" onclick="<script>alert('Vulnerable')</script>">


when you now open the view, the script is executed and the Message "Vulnerable" is shown. Since cross site scripting is a serious issue, I thought I report that.

Greetings, Mathias