Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    SC cross-site scripting

    SC 8, Chrome (latest), firefox (v42)

    We have found that when text with HTML code is displayed in pages using SC, the application can be cross-site scripted.

    In the iframe1.png image attached to this mail we have an embedded irframe tag

    Click image for larger version

Name:	iframe1.png
Views:	131
Size:	7.6 KB
ID:	241121

    and when the form is displayed we get the behaviour displayed in the attached image iframe2.png

    Click image for larger version

Name:	iframe2.png
Views:	111
Size:	7.6 KB
ID:	241123

    Is there a way in SC to prevent such cross-site scripting - other than filtering all the text that is entered by the user?

    Thanks

    Stewart Bourke
    Attached Files

    #2
    See dataSourceField.escapeHTML.

    Comment

    Working...
    X