Bugs item #1897993, was opened at 2008-02-20 09:57 Message generated for change (Settings changed) made by tdonohue You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=119984&aid=1897993&group_id=19984
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Web UI Group: 1.5 beta 1 >Status: Closed >Resolution: Out of Date Priority: 5 Private: No Submitted By: Stuart Lewis (stuartlewis) Assigned to: Nobody/Anonymous (nobody) Summary: HTML not stripped in user profile data information in JSPUI Initial Comment: It is possible to set your name to be (e.g.) <h1>Stuart Lewis</h1>. This data is displayed as-is rather than being stripped out, meaning your name appears in bold. This could be used as the basis for an XSS attack. The XMLUI treats this OK and does strip out the tags and displays them as their entities. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=119984&aid=1897993&group_id=19984 ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Dspace-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-devel
