jgknight
commented
9 years ago No objections, so I'll merge it :)
Closed jgknight closed 9 years ago
jgknight
commented
9 years ago No objections, so I'll merge it :)
This fixes #401 where the regex/order of BBcode allows injection of javascript, introducing the possibility of Cross Site Scripting (XSS) attacks.
I've tested this on my dev setup, and it blocks the current example XSS. I was unable to exploit it after this patch.