What steps will reproduce the problem?
1. Go to the live demo at http://gaewiki-demo.appspot.com/Sandbox
2. Press edit
3. type in *any* malicious or xss html code into the textbox, for example
<script>alert("some dumb content")</script>
4. press edit
5. press preview (be sure *not to* press save changes)
What is the expected output? What do you see instead?
The expected output is that the code will be stripped out using some sort of
sanitizer. However, I managed to save the code and actually let it execute on
every single page load (I've deleted it afterwards, no worries)
What version of the product are you using? On what operating system?
Chrome 31.0 on windows.
Please provide any additional information below.
You can use an HTML sanitizer to remove the script tags, or blacklist the
characters < > and ; that'll stop the xss for a while
Original issue reported on code.google.com by mark.ver...@gmail.com on 10 Dec 2013 at 8:08
Original issue reported on code.google.com by
mark.ver...@gmail.com
on 10 Dec 2013 at 8:08