Description
GetText macro does not escape its argument. One can use it to insert html markup into the page.
Example
[[GetText(<script type="text/javascript">e = document.getElementById('page');e.style.cssText = 'color: white; background: red;';document.write('<h1>Escape Me!</h1>');var body = document.getElementsByTagName('body')[0];var header = document.getElementById('header');body.removeChild(header);</script>)]]<<GetText: execution failed [No argument named "<script type"] (see also the log)>>
Details
MoinMoin Version |
|
Workaround
Discussion
Fixed by escaping text that does not have translation. Our translation considered safe.
Plan
- Priority: High
- Assigned to:
- Status: fixed in patch-377