Bug #5453
HTML Injection via comment/short description fields
Status:
New
Priority:
Low
Assignee:
-
Start date:
02/15/2014
Due date:
% Done:
0%
Estimated time:
Description
We discussed this at a meeting. It is possible to insert HTML code into the comment and short description fields which then gets interpreted on the MISCOMP web forms.
I think simply changing every double-quote (") to a single-quote (') might 'fix' the issue.
This is LOW priority, as I just discovered that the existing MISCOMP web forms have the same problem!