Virtual Happy Hour is canceled this month (March) due to Good Friday.
Try our conversational search powered by Generative AI!
AI OnAI Off
Virtual Happy Hour is canceled this month (March) due to Good Friday.
Hi,
On a UserControl in an EPiServer project I place this encoded html:
<script>alert('Potensial XSS attempt')&60;/script>
When I load it into a browser the code is executed:
<script>alert('Potensial XSS attempt')</script>
alert('Potential XSS attempt')
Why? It seams kind of silly that EPiServer would decode it, so the browser can execute the script, because when I do the same on a non EPiServer project, the result is correct ??
Also if I place the same code into an attribute, for example:
<a blabla="<script>alert('Potensial xss attempt'</script>" />
The attribute is NOT decoded?