Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
15.9-rc-1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
As a user without script right, create a page with content:
{{context source="string:{{velocity~}~}Evil{{/velocity~}~}"}}{{/context}}
As an admin user, edit the page.
Expected result:
There is a warning about the "Evil" script.
Actual result:
There is no warning and after saving or after inserting a macro in the WYSIWYG editor, the "Evil" script is executed.
Attachments
Issue Links
- links to