This just tripped a SECURITY ALERT in my app during a movie scrape!
Record: 313022 Trailer Path: Path: http://www.youtube.com/watch?v=
Html code in a database record??? Not good.
Can't find a movie or TV show? Login to create it.
Reply by Joe Rose
on June 8, 2015 at 9:32 PM
Sure enough! It executed in this post!
Reply by Travis Bell
on June 8, 2015 at 11:29 PM
I don't believe there's any sanitization on the video field. I've created a new ticket for this here. It's very much related to ticket #887, so I'll do them both at the same time.
Reply by LordMike
on June 15, 2015 at 5:04 PM
Uh .. just for the record. It is perfectly fine to have HTML or any other form of "code" or "markup" in the database. In fact - it should stay in that format.