Logo alt attribute doesn't escaped when site title contains quotes

(Anton Batenev) #1

When I set (in admin settings page) ‘title’ to string with quote ("), the alt attribute of site-logo image breaks. For examle, set forum title to:


and enjoy xss.

(Sam Saffron) #2

I am not sure if I would consider this that serious. If admins can XSS the site they administrate, its not as though something dangerous is going on.

(Anton Batenev) #3

XSS is just for example. My forum has title with quotes and alt of logo breaks.

(Sam Saffron) #4

sure Ill sort that out, we should not make it trivial for you to destroy your site :blush:

(Jeff Atwood) #5

Did this get fixed @sam?

(Jeff Atwood) #6

Confirmed this is now escaped properly.

(Jeff Atwood) #7