Javascript in page name executed when page is deleted

Vote:
 
Hi If you add a HTML javascript block to the page name EPiServer mostly escapes it (for example in the edit menu or in the search results). This is good if you have content being created by users (for example forums) to prevent malicious XSS code from being executed. But when you delete the page the script is executed when the page name is displayed on the confirmation page. 1. Create a page. Name it "" 2. Delete the page. The alert saying Test will appear. And the confirmation page displays: "" har flyttats till papperskorgen. Well, not a really big issue, but this could have an editor end up on a malicious site. Regards /Fredrik
#17487
Mar 25, 2008 19:33
Vote:
 
Hello Fredrik! This issue should be fixed in EPiServer 4.60 that was released last friday.
#18288
Mar 25, 2008 19:43
Vote:
 
#25459
Oct 27, 2008 12:28
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.