Closed nickw444 closed 6 years ago
@nickw444 Thanks for reporting this. We're going to look at it ASAP.
Hi @srenault any update on this?
14 days have past since opening this issue, is there any update on this? My team may have to cancel our Prismic subscription if this is not resolved in a timely manner.
Hello @nickw444 it's fixed now.
Confirmed fixed!
It seems #22 hasn't really moved, maybe due to the title not being as alarting. Hopefully re-raising it with a more alarming title will warrant some action.
I'd suggest anyone looking to use Prismic for rendering HTML into their website avoid the service until this issue is resolved.
When using
primsic-dom
to render content written from Prismic CMS, an XSS attack could occur by a content author, potentially stealing sensitive user information.Steps to reproduce:
span
declared there, it's just plain text:document.body = rendered
:/cc @benjaminjt