This repository has been archived by the owner on Jan 22, 2024. It is now read-only.

Able to inject HTML tag / script on comments #381

Open

galupa opened this issue Mar 3, 2021 · 0 comments

galupa commented Mar 3, 2021 •

edited

Loading

Hi,

I want to report a bug on comments.
I am using 5.2 community edition and also have tested this on 6.2 community edition.
To reproduce:

go to any document detail page
create a comment with html tag
For example:
```
<div class="textLayer">
test
</div>
```
edit the comment
save without changing anything
The html tag will be part of the page (injected)

By using the example above, user shall not be able to click any top menu because of class="textLayer"

Probably a good idea to exclude class namespace because it can make the user mess up the UI accidentaly

Please let me know if you need more details.

Best Regards,
Rangga

The text was updated successfully, but these errors were encountered:

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.