Headline
CVE-2022-3245: update · microweber/microweber@f20abf3
HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input.
@@ -78,7 +78,10 @@
function getTagButtonHtmlInForm(id,name,slug) {
var html = ‘<div class="btn-group tag mb-2 mr-1 btn-tag-id-‘+id+’" role="group">’ + // remove html from string before display name = $(‘<p>’ + name + ‘</p>’).text();
var html = ‘<div class="btn-group tag mb-2 mr-1 btn-tag-id-‘+id+’" role="group">’ + ' <button type="button" class="btn-sm icon-left no-hover btn btn-secondary" onClick="editTaggingTagReplaceForm(‘+id+’)“><i class="mdi mdi-tag"></i> ' + name + ‘</button>’ + ' <button type="button” class="btn btn-primary btn-sm btn-icon" onClick="editTaggingTagReplaceForm(‘+id+’)"><i class="mdi mdi-pencil"></i></button>’ + ' <button type="button" class="btn btn-primary btn-sm btn-icon" onClick="deleteTaggingTag(‘+id+’)"><i class="mdi mdi-close"></i></button>’ + @@ -139,4 +142,4 @@ function editTaggingTagReplaceForm(tagging_tag_id) {
<div class="js-admin-tag-edit-messages" style="padding-top: 15px"></div>
<div class="js-admin-tags mt-3"></div> <div class="js-admin-tags mt-3"></div>
Related news
HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input. A patch is available on commit f20abf30a1d9c1426c5fb757ac63998dc5b92bfc and is anticipated to be part of version 1.3.2.