bu-navigation icon indicating copy to clipboard operation
bu-navigation copied to clipboard

Published 20 hours ago verified publisher icon bu-ist

Label Field allows HTML like an <iframe>, horrible results ensue

Open acketon opened this issue 3 years ago • 2 comments
trafficstars

Client sent a bug: Screen Shot 2022-02-03 at 2 42 52 PM

Found this in the admin: Screen Shot 2022-02-03 at 2 44 34 PM

uh-oh.

Label field should probably sanitize HTML? Or at least only allow a limited subset... certainly not <iframe> Screen Shot 2022-02-03 at 2 44 53 PM

acketon avatar Feb 03 '22 19:02 acketon

https://buweb.slack.com/archives/C08LCBE3D/p1643917410133739

acketon avatar Feb 03 '22 19:02 acketon

Probably adjusting this line would work:

https://github.com/bu-ist/bu-navigation/blob/9c9ff6569ed4560104cf40395cdc82a6d25cfe09/admin/post.php#L230

jdub233 avatar Feb 03 '22 20:02 jdub233