Cross Site Scripting
Status: Beta
Brought to you by:
webinventor
When adding a new event, nothing is filtered out. This
means there are MAJOR SECURITY HOLES. I used the
simplest attack: <script>alert('XSS Attack')</script).
This did cause an alert box to apear.
If you have questions my e-mail is jworent {at} yahoo
dot com
Logged In: YES
user_id=1423751
Thank you for this bug, we'll fix this in the next version.
For now in event_view_popup.php and event_view.php please
put remark sign for the following lines:
event_view.*
PHP
line 82 $this->event_desc->HTML = true;
line 86 $this->event_Location->HTML = true;
etc.
ASP
line 250 event_desc.HTML = True
line 254 event_Location.HTML = True
etc.
In event_view_popup.* please do the same.
Thanks,
Alex