[solved] XSS Vulnerability in "Preview Post" feature of the forum

thp4

Writing a post here and then clicking on "Preview Post" can lead to a XSS vulnerability: I can inject tags using the "less than" and "greater than" HTML entities - these are not escaped in the preview.

<b>Hello Bold!</b>

Another test: <blink>Testing....</blink> (if your browser supports blink tags)

<iframe width="400" height="200" src="http://www.google.com/"></iframe>

Edit: It turns out the vulnerability even works when displaying the forum.

Bug report: http://bugreports.qt.nokia.com/browse/QTWEBSITE-113

mgran

Thanks thp, looking into it now.

gurudutt

Thank you for reporting this issue, This is fixed now :)

thp4

[quote author="Gurudutt" date="1291292998"]Thank you for reporting this issue, This is fixed now :)
[/quote]

That was quick, thanks a lot :)