Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Critical
Fix Version/s: 10.0.0, 9.6.5
Affects Version/s: 9.6.3
Component/s: None
Security Level: Jimmy
Labels:
- security

Steps to Reproduce

<zscript><![CDATA[
ListModel model = new ListModelList();
]]></zscript>
    <chosenbox width="100%" creatable="true" model="${model}"
               onSearch="model.add(event.value);model.addToSelection(event.value)"/>

1. enter '"><img src=foo onerror=alert(/XSS-/+location)>

Current Result

it runs javascript

Expected Result

no js run

Debug Information

chosenbox should conform All Input Components Block XSS

relates to

ZK-5260 chosenbox options don't escape HTML characters

Closed

Assignee:: rebeccalai

Reporter:: hawk

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 08/May/23 7:14 AM

Updated:: 26/Aug/24 7:36 AM

Resolved:: 12/Sep/23 2:56 AM

Details

Description

Steps to Reproduce

Current Result

Expected Result

Debug Information

Attachments

Issue Links

Activity

People

Dates