#421 Able to embed inline javascript in sticky note widget
Closed: Fixed 6 years ago Opened 6 years ago by ryanlerch.

Currently, we are not sanitizing the input from the user when rendering the sticky widget. If you add something like the following:

<a onClick="alert('pants');" href="#">and some more</a>

to a sticky note widget, it runs the script.


Metadata Update from @ryanlerch:
- Issue priority set to: High

6 years ago

Fixed by changeset c78e0ca in PR #422.

Metadata Update from @abompard:
- Issue assigned to shaily
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Login to comment on this ticket.

Metadata