Closed charlie-eth closed 9 years ago
So I'm not sure how much of an issue this is as long as there is proper server side sanitizing but typing something like an alert inside the textarea with the below code will execute the alert, can this behaviour be prevented?
This:
<textarea class="bla"></textarea> <script> $('.bla').mentionsInput({ source: 'media/view/get_users', showAtCaret: true }); </script>
Will execute anything typed in such as this:
<script>alert('hello');</script>
This is definitely a wrong behaviour, I'll investigate tomorrow. Thank you.
Any word on this?
Fixed this
So I'm not sure how much of an issue this is as long as there is proper server side sanitizing but typing something like an alert inside the textarea with the below code will execute the alert, can this behaviour be prevented?
This:
Will execute anything typed in such as this: