Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    Showing clipped value on hover - security issue?

    I've noticed that the new FormItem.setShowClippedValueOnHover(), which defaults to true, will run script when the hover prompt is shown.

    Entering any value that extends past the clipping area of the field and adding something like this:

    Code:
    <img src="." onerror="alert('abc')">
    will show the full field value and run the onerror script when the hover appears.
    Is this intended behavior?

    I'm using Chrome and SmartClient Version: v9.0p_2013-07-10/LGPL Development Only (built 2013-07-10)

    #2
    Thanks for pointing this out, it's now fixed for all affected builds.

    Comment

    Working...
    X