Open jberanek opened 8 years ago
Yes, admins are supposed to be trusted. The Custom HTML field is there to enable them to add more information about a room or area, for example a picture, a link to another site, or perhaps a map.
However it might be worth
(1) disabling the field by default in systemdefaults, requiring site admins to enable it and putting a warning in the comments; and/or (2) restricting the range of tags that can be used.
Original comment by: campbell-m
The latest release of MRBS, 1.7.0, now disables Custom HTML by default. If you want to use Custom HTML and you trust your admins then it can be re-enabled by setting in the config file:
$auth['allow_custom_html'] = true;
Original comment by: campbell-m
Not really much of a issue because you cant access it unless admin. But on edit_area_room.php there is a XSS vuln![](http://i.imgur.com/AvMtTba.png)
Reported by: *anonymous
Original Ticket: mrbs/support-requests/971