search

nazihheni / php-form-builder-class

Automatically exported from code.google.com/p/php-form-builder-class
GNU General Public License v3.0
0 stars 0 forks source link

XSS in Textarea #184

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?

1. Create a form with a textarea and another required field
2. Inside the field enter : "test</textarea>test2" 
3. Leave the required field blank
4. Submit the form without JS or HTML5 validation

What is the expected output? 

A textarea prefilled with "test</textarea>test2"

What do you see instead?

A textarea with "test" inside and "test2" after the field

What version of the product are you using?

3.0-php5 (not 5.3)

On what operating system?

Any browser that relies on server validation

The same goes when using $form->setValues(), datas are never checked.

Original issue reported on code.google.com by conort on 21 Nov 2012 at 5:57

GoogleCodeExporter commented 8 years ago 
Thanks for the bug report.  r582 
(http://code.google.com/p/php-form-builder-class/source/detail?r=582) should 
resolve this issue.  Please review.

- Andrew

Original comment by ajporterfield@gmail.com on 23 Nov 2012 at 3:27

GoogleCodeExporter commented 8 years ago

Original comment by ajporterfield@gmail.com on 14 Feb 2013 at 3:04