There’s a few reflected and stored XSS in the admin panel caused by insufficient user input XSS filtering (only looking for `<script>`).
Reflected XSS in search query: http://localhost:8888/lucee/admin/server.cfm?action=admin.search&q="%20><img%20src=""%20onerror="alert(1)">
Stored XSS in mapping Resource field:
I've checked this ticket and confirmed the issue happened on lucee latest version 220.127.116.11-SNAPSHOT also.The issue happened in all the input fields. So I've added validation for the input fields.
Pull request: https://github.com/lucee/Lucee/pull/1023
I disagree with this approach, admin already has
therefore, I think script protect needs updating
any html tag should have any an on* attributes automatically stripped out or invalidAttribute added, when scriptProtect is enabled
agree with on this
it’s probably better to use ESAPI than reinventing the wheel here….