• How to reproduce:

    • Go to an contact-form-7 form in the frontend.
    • Add the following code into i.e. an textarea field:
      this is a <script>alert('TEST')</script>
    • Submit the form.
    • Go to Backend, into “Advanced CF7 DB”, select the your submitted form
    • Edit the entry you just submitted

    Expected Behaviour: you can edit the submitted text, the “<” and “>” are html_encoded.
    Actual Behaviour: the alert message pops up.

  • The topic ‘WARNING Javascript Injection possible!’ is closed to new replies.