The LogViewer component is vulnerable to Cross Site Scripting.

[cjke]

We've had our soon to be launched site externally security tested. The security auditors use the AS/NZS 31000:2009 standard for assessing risk. A few issues recorded were linked directly to the LogViewer component. I will include a new issue per issue recorded by security audit.

Consequence High This flaw can be exploited to affect the integrity of all applications served from the same server.

The LogViewer component parses the Apache log files and presents the entries to the user. If a log entry contains any HTML component, including Javascript, it is sent to the browser without validation. This introduces a cross site scripting vulnerability.

[mikemand]

I'm having some issues with my dev enviornment at the moment, but I've found a fix for this issue and #67. I will get them fixed as soon as I can.

[opheliadesign]

What is the status of this?

[natali9t9]

any news ?

[cjke]

Was this ever fixed? If not, I will create a pull request to fix the issues

[mikemand]

I have not had any time lately to fix this bug and #67. If @cjke would like to open a pull request that fixes it, I will review and (most likely) accept.