Closed mmatuzovic closed 2 years ago
I can confirm that. It was reported as an issue at our last security check.
Hmmm, I'm sure this must have been a regression, as I recall testing this many times. But regardless, you are correct.
Fixed for the next release. To get the fix early, change your verbb/vizy
requirement in composer.json
to:
"require": {
"verbb/vizy": "dev-craft-3 as 1.0.10",
"...": "..."
}
Then run composer update
.
Fixed in 1.0.11
Thank you for the quick fix!
Description
XSS attacks are possible because HTML written into the visual editor gets rendered.
Steps to reproduce