Hi,

we noticed today that javascript code and html tags that were entered into string attributes get evaluated and executed. This could allow malicious users with write permissions to include javascript code to e.g. steal session cookies from other users who are viewing this data. Fields containing HTML and javascript data should get escaped before displaying it.

Currently, we are using html <a> tags to display hyperlinks in cards so it would be nice to alternatively include bbstyle tags (e.g. [a]) to format strings as hyperlinks, if the html code gets escaped eventually.

Regards,

cgadmin