Security Bug: accepts tags

  • Resolved prajakta ghole

    (@prajakta-ghole)


    7 years, 10 months ago

    Hi,
    When I enter the <script>alert(‘123’); </script> tag in my form where it is suppose to enter first name which is [text* first-name] but still it accepts
    scripts tags…is it possible to accept only letters ? and also it should not accept script tags.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Takayuki Miyoshi

    (@takayukister)

    Do you mean you see an alert popup with 123 text? Or you mean just seeing literal <script>alert(‘123’); </script> in the text field which you input on purpose?

    Thread Starter prajakta ghole

    (@prajakta-ghole)

    Hi,
    Thanks for your prompt reply.No its not popping ‘123’ but I see in email <script>alert(‘123’); </script> .Ideally it should not except script tag as such.
    Please help.

    Plugin Author Takayuki Miyoshi

    (@takayukister)

    It’s not a security issue. You don’t have to worry about that. In a plain text email, the tags don’t work as HTML or JavaScript. In an HTML email, they are properly escaped.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Security Bug: accepts tags’ is closed to new replies.