Closed michaelkuty closed 8 years ago
We trust and render html(submission in admin) from users, I changed implementation which renders simple table without value|safe
Test with <script>alert(1)</script>
<script>alert(1)</script>
It's only for SESSION_COOKIE_HTTPONLY = False but i think that is still dangerous evaluate JS from user in Admin site..
still you can exploit the admin using http://beefproject.com/
Nice find, thanks.
matthiask
commented
8 years ago matthiask
commented
8 years ago
We trust and render html(submission in admin) from users, I changed implementation which renders simple table without value|safe
18
Test with
<script>alert(1)</script>It's only for SESSION_COOKIE_HTTPONLY = False but i think that is still dangerous evaluate JS from user in Admin site..
still you can exploit the admin using http://beefproject.com/