Logo alt attribute doesn't escaped when site title contains quotes


(Anton Batenev) #1

When I set (in admin settings page) ‘title’ to string with quote ("), the alt attribute of site-logo image breaks. For examle, set forum title to:

"><script>alert('XSS');</script><

and enjoy xss.


(Sam Saffron) #2

I am not sure if I would consider this that serious. If admins can XSS the site they administrate, its not as though something dangerous is going on.


(Anton Batenev) #3

XSS is just for example. My forum has title with quotes and alt of logo breaks.


(Sam Saffron) #4

sure Ill sort that out, we should not make it trivial for you to destroy your site :blush:


(Jeff Atwood) #5

Did this get fixed @sam?


(Jeff Atwood) #6

Confirmed this is now escaped properly.


(Jeff Atwood) #7