Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-1862

Should not echo parameter value back to client

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.5.4
    • Component/s: None
    • Labels:
      None

      Description

      for instance
      http://xxx/zkau?dtid=z_9wv5ec89<img%20src%3da%20onerror%3dalert(1)>1571e99e33135221d&cmd_0=onChange&uuid_0=rPHPj&data_0=%7B%22value%22%3A%22ab%22%2C%22start%22%3A2%7D&cmd_1=onClick&uuid_1=rPHPk&data_1=%7B%22pageX%22%3A692%2C%22pageY%22%3A318%2C%22which%22%3A1%2C%22x%22%3A52.20001220703125%2C%22y%22%3A1%7D

      -> {"rs":[["cfmClose",[""]],["obsolete",["z_9wv5ec89<img src=a onerror=alert(1)>1571e99e33135221d","script: xxxx"

      the "<img src=a onerror=alert(1)>" should not echo back

        Activity

        Hide
        jumperchen jumperchen added a comment -

        Fixed since 7/25/2013

        Show
        jumperchen jumperchen added a comment - Fixed since 7/25/2013

          People

          • Assignee:
            jumperchen jumperchen
            Reporter:
            samchuang samchuang
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: