Hi there, I found a possible XSS Vulnerability for the Listcell component.
I entered a String like "</script foo=bar>" for a normal Textboxfield and after saving and refreshing this content will be rendered into a Listcell for the User. Unfortunately there is some vulnerability in the XSS protection function.
The resulting html-code looks like:
I always though zkoss will now prevent all evil xss-stuff, but unfortunately the resulting page is empty or is really messed up, without any reliable information.
I am using zk220.127.116.11, zcommon5.0.4, zhtml5.0.4....(Unfortunately upgrading to a newer zk version is at this moment not an option!)
Is there something I'm doing wrong? Or is this a known issue??
Please help ASAP. thx