tooltiptext attribute doesn't escape HTML

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Critical
    • 5.0.10, 10.2.0
    • Affects Version/s: 5.0.7
    • Component/s: None
    • None

      If you bind a value to a tooltiptext attribute and that value is something like '/><script>alert("Hi!")</script><!--', the HTML doesn't get escaped and is executed. This doesn't happen with Label, I think.

            Assignee:
            jumperchen
            Reporter:
            guilty
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: