Version: 2.6.1 Reporter: DarkMantis —
This is an archived bug report. If you are experiencing a similar issue, upgrade to the latest release and if that does not solve the problem, submit a new bug report
The issue is when you submit a new entry through Admin -> Content -> Publish and you are using the RTE, if you enter HTML into that editor, the next page will execute the HTML, which it shouldn’t. The RTE should htmlentities all input data that goes in (when you’re not in the ‘source-view’), thus creating a HTML-Safe preview page.
I was trying to post about a vulnerability I found in a WordPress plugin, and the resulting HTML of the XSS payload was:
</title>[removed]alert(document.domain);[removed]which got executed on the view_entry.php view (system -> expressionengine -> views -> content -> view_entry.php)
In system/expressionengine/controllers/cp/content_publish.php look at line 685:
$r .= ee()->api_channel_fields->apply('replace_tag', array('data' => $data));And replace it with this:
$r .= ee()->api_channel_fields->apply('replace_tag', array('data' => htmlentities($data)));ExpressionEngine implements Markdown Extra and BBCode. Please see the Markdown Extra docs and the BBCode Wikipedia article for a full reference.
**bold**, __bold__, *italics*, _italics_, ~strike/del~, `code()`
bold, italics, strike/del, code()
Link: [link title](https://example.com)
Image: 
[blockquote]...[/blockquote], [quote]...[/quote], and Markdown style:
> Some quoted text. > > This is all one quote.
[code]...[/code], and you can also specify the language for syntax highlighting, [code=php]...[/code]
GitHub flavored Markdown code fences are also supported:
```
public function decoderRing($str)
{
return str_rot13($str);
}
```