jimallman
commented
5 years ago The new behavior is in place on devapi (and can be easily tested using the webapps on devtree). If you save a string like <script>window.alert("XSS in progress!");</script> in the curator notes on tree (production), you should see a JS alert box when you view the study or even trigger its HTML preview while editing. This is caught and exposed by the fix on devtree/devapi.
This fix prevents malicious scripts from being inserted in our curator notes, which are entered as markdown when editing studies and (iirc) collections. This translation from markdown to HTML is always done using a single server-side function, and always on the fly (HTML output is never stored). Adding the fix here will disable (and reveal) any
SCRIPTor other naughty bits in curator notes.