Opened 15 years ago
Closed 15 years ago
#1017 closed defect (bug) (fixed)
wire not filtering input properly
Reported by: | DJPaul | Owned by: | |
---|---|---|---|
Milestone: | 1.1 | Priority: | major |
Severity: | Version: | ||
Component: | Keywords: | wire, post, wire post, href, JavaScript, embedded, security, needs-analysis | |
Cc: | Jason_JM |
Description
It's possible to get Javascript into the following on any of the Wire elements:
<a href="javascript:window.location.href='www.google.com'">Tsst</a>
Change History (6)
Note: See
TracTickets for help on using
tickets.
You may be able to use the filter 'bp_get_wire_post_content':
pseudo
if (!'javascript:' present in the href via regex) {
Sound good?
Enhancement,minor, 1.2?