Right now you can enter arbitrary strings as the color for the default [color] bbcode. This could allow arbitrary CSS styles to be applied or worse, arbitrary javascript to be executed on an event. The [color] bbcode needs an InputValidator for its color option.
Right now you can enter arbitrary strings as the color for the default
[color]
bbcode. This could allow arbitrary CSS styles to be applied or worse, arbitrary javascript to be executed on an event. The[color]
bbcode needs anInputValidator
for its color option.