Bug #19523
Updated by Helmut Hummel about 7 years ago
The redirect_url parameter in felogin extension is not filtered by htmlspecialchars. I have test this on a fresh installed Tzpo3 4.2.2 without anz third partz extensions. Simple create a loginform and call the login page e.g with this url: http://www.somedomain.tld/index.php?id=login&redirect_url=%22%3e%3cSCRIPT%3ealert('Paros')%3c/SCRIPT%3e%3cspan%20%22 "login" is the alias of the login page Note: In some cases the server configuration can prevent this isue. (issue imported from #M9673)