jimmykuu/wtforms

xss bug

gihnius opened this issue · 0 comments

gihnius commented

hi, I found a bug in the code that'd cause xss issue.

return template.HTML(fmt.Sprintf(`<input type="text" value="%s" name=%q id=%q%s>`, field.Value, field.Name, field.Name, attrsStr))

if field.Value is "><script>alert(123)</script>