The contents of the module parameter are reflected inside the page, allowing
script to be executed.
What steps will reproduce the problem?
1. Include whatever content you want executed in the "module" parameter
2. Or Click this link:
http://demo.simpleinvoices.org/index.php?module=pr%22%3E%3Cscript%3Ealert%281%29
%3C%2fscript%3E
3. Profit
What is the expected output? What do you see instead?
I would expect Simple Invoices to sanitize the module parameter, because it
gets a lot more exciting on the next bug...
Please use labels and text to provide additional information.
Original issue reported on code.google.com by matthewj...@gmail.com on 7 Jan 2014 at 12:49
Original issue reported on code.google.com by
matthewj...@gmail.com
on 7 Jan 2014 at 12:49