Skip to:
Content

BuddyPress.org

Opened 15 years ago

Closed 15 years ago

#1114 closed defect (bug) (fixed)

able to embed javascript into the Status field

Reported by: djpaul's profile DJPaul Owned by:
Milestone: 1.1 Priority: critical
Severity: Version:
Component: Keywords: javascript security
Cc:

Description

Hi
You're able to put html in the status field on your profile. I'm not sure if that's good decision or not - but that's another matter.

If you put this string into your profile, you can trigger javascript commands on your profile page (it doesn't work when clicking your status in the Site Wide Activity).

p.s. Trac may screw up this so i'll repost if needed.

<a href="bt.com" onclick="javascript:alert('bubble')">testing 3</a>

Change History (1)

#1 @apeatling
15 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [1986]) Fixes #1114

Note: See TracTickets for help on using tickets.