XSS ist possible in the admin part of the comments extensions.
Reproduce:
1. Post a Comment with say "<script>alert("oh my xss")</script>"
2. Login as admin, goto comments tab
3. you see...In the frontend, the output is handled correctly. This gives an attacker the possibility to take over an admin account. /simon
signature.asc
Description: PGP signature
_______________________________________________ Radiant mailing list Post: Radiant@radiantcms.org Search: http://radiantcms.org/mailing-list/search/ Site: http://lists.radiantcms.org/mailman/listinfo/radiant
