i findout app not safe xss url, when navigate url:
http://host.local/app/dashboard<script>alert("test")</script> the script inject error message:
the system unable find requested action "admindashboard how stop this?
the solution easy: check error handler in config file , add chtml::encode($error["message"]) in view.
Comments
Post a Comment