Forum

Please take this as a priority security request and close this hole before it's exploited.
ALL user inputs should be stripped of ANY html tags and special characters on input.

I added a custom form field to appointments, a text box for comments. Just now I thought to enter an IFrame tag there, and sure enough, a foreign script will run INSIDE THE ADMIN'S LOGIN when they are reviewing that appointment. The IFrame tag is also in the email sent to admin for review of the new user, so depending on the mail client admin's email may be compromised also.

So, I think, maybe it's just the custom fields that are the problem. NOPE. I registered as a new user, putting an img src tag into the first name field. Sure enough, when admin goes to review pending users THAT IMAGE APPEARS on the user browsing page in the first name column.

This is a huge risk, allowing html/java/iframe/img tags or commands to be executed while admin is logged in. Coded picture URLs, for example, are often used to track spam and can be used to capture the "referrer" or the URL you use as admin.

PLEASE, and SOON, sanitize all user inputs from all text or textarea forms!