Skip to content

Incomplete escaping of characters in TV (XSS) #15925

New issue
New issue
Open
#15936
Open
Incomplete escaping of characters in TV (XSS)#15925
#15936
Labels
bugThe issue in the code or project, which should be addressed.
@Ruslan-Aleev

Description

@Ruslan-Aleev
Ruslan-Aleev
opened on Dec 1, 2021

Bug report

Summary

In TV caption you can specify html tags that are not escaped. Maybe for other elements it is relevant too.

Step to reproduce

Add: <script>alert('xss');</script> in TV caption and edit the resource with this TV.

Environment

MODX 2.x, MODX 3.x

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThe issue in the code or project, which should be addressed.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions