Removed due to security concerns
-
-
No, not an XSS bug in SmartGWT. If you want to allow HTML-special chars in a field, set dataSource.escapeHTML. If you don't, disallow them via validation.
For the rare case that you want to allow users to enter HTML that is actually active (eg, working bold tags), you can use one of many free server-side libraries that can "cleanse" inbound HTML so that only certain tags are allowed / active.
This is basically how all web frameworks work.
Comment