You are not logged in. Please login or register.

[ Closed ] formaction is allowed in safe mode

PHP Labware forum → htmLawed → formaction is allowed in safe mode

Pages 1

You must login or register to post a reply

Posts: 3

The following code is not caught by the safe mode of HtmLawed:

<button form="test" formaction="javascript:alert(123489574)">Click</button>' does not contain "formaction

But, if you click on the following code, it will execute the javascript.

I would suggest to disallow the formaction attribute in safe mode.

Let me know if it would be helpful for me to contribute such a change.

Thank you for pointing this important issue. It is now fixed in the new release, version 1.2.15.

Awesome! Thanks a lot for the great work :).

Pages 1

You must login or register to post a reply

PHP Labware forum → htmLawed → formaction is allowed in safe mode