Everything coming out of DHIS should be escaped. Are you saying that you see the alert box where you can see the name?
-- Morten On Sat, Jan 26, 2013 at 5:37 PM, Ngoc Thanh Nguyen < thanh.hispviet...@gmail.com> wrote: > Hi all, > > Sorry if this issue is irrelevant but when I tried to insert something > malicious script to dhis2 field, I got it stored, like this: > [image: Inline image 1] > > It means that data are not filtered at all. In theory, it has a risk of > XSS attack. How do we prevent that? > > Thanh > > _______________________________________________ > Mailing list: https://launchpad.net/~dhis2-devs > Post to : dhis2-devs@lists.launchpad.net > Unsubscribe : https://launchpad.net/~dhis2-devs > More help : https://help.launchpad.net/ListHelp > >
<<image.png>>
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : dhis2-devs@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp
