TagsPlugin vulnerable against XSS
|Reported by:||muelli||Owned by:||athomas|
If you search for <u>xss</u> you will see, that special HTML characters won't be escaped. See
Although this TagsPlugin (at trac-hacks.org) seems to delete <script>, others won't.
Since you can steal login data from, this is a security-issue with a high severity.
Change History (6)
comment:3 Changed 8 years ago by athomas
- Resolution set to fixed
- Status changed from assigned to closed
comment:5 Changed 8 years ago by muelli@…
- Resolution fixed deleted
- Status changed from closed to reopened