RealPortalPlayer
commented
1 year ago Is this project dead? I'd prefer if this was dealt with as soon as possible. At least acknowledge this issue exists.
Open RealPortalPlayer opened 1 year ago
RealPortalPlayer
commented
1 year ago Is this project dead? I'd prefer if this was dealt with as soon as possible. At least acknowledge this issue exists.
DovieW
commented
1 year ago I'm just noticing that if someone puts HTML tags in the comment it's missing in the search results
This doesn't properly encode HTML, which can enable XSS. There seems to be some sort of mitigation, since the classic
<script>alert(1)</script>doesn't work. Unfortunately, it seems like this mitigation is half-baked. Something like<img src=1 onerror=alert(1)>does work. This can be very dangerous, and should be patched as soon as possible.