XSS

[jberanek]

Not really much of a issue because you cant access it unless admin. But on edit_area_room.php there is a XSS vuln

Reported by: *anonymous

Original Ticket: mrbs/support-requests/971

[jberanek]

Yes, admins are supposed to be trusted. The Custom HTML field is there to enable them to add more information about a room or area, for example a picture, a link to another site, or perhaps a map.

However it might be worth

(1) disabling the field by default in systemdefaults, requiring site admins to enable it and putting a warning in the comments; and/or (2) restricting the range of tags that can be used.

Original comment by: campbell-m

[jberanek]

The latest release of MRBS, 1.7.0, now disables Custom HTML by default. If you want to use Custom HTML and you trust your admins then it can be re-enabled by setting in the config file:

$auth['allow_custom_html'] = true;

Original comment by: campbell-m