Open marvinthepa opened 7 years ago
At least when using formMethod="get", it is possible to pass HTML in the $param.op url parameter and have it executed as it is not escaped.
formMethod="get"
$param.op
Tested on version 2.5.0 (branch "grails-2"), grails v. 2.5.5.
Pull request follows.
At least when using
formMethod="get", it is possible to pass HTML in the$param.opurl parameter and have it executed as it is not escaped.Tested on version 2.5.0 (branch "grails-2"), grails v. 2.5.5.
Pull request follows.