Details
-
Bug
-
Resolution: Obsolete
-
Medium
-
None
-
None
-
None
Description
Default extension/ezsurvey/design/standard/templates/survey/view/multiplechoice.tpl is vulnerable to HTML injection in its "Other" field because output is not washed.
See attached patch.
Steps to reproduce
Enter HTML code into a text field or text area "Other" field of a multiple choice attribute on the user-facing page of a default survey.