Ticket COLDBOX-236 Open missed a few places where text needs to be escaped before embedded into HTML to prevent XSS attacks and markup errors. In each of the examples below, HTML should never be passed in and it is safe always escape the text to ensure any special characters are not mistaken as HTML by the browser.
- The "meta" function's content variable.
- The "meta" functions content variable when an array of structs:
- Both places src is output in the "video" function
- Both places src is output int he "audio" function
- option "value" in the "options" function
- Option name in the "options" function
- JS and CSS includes in the "addAsset" function
- The "value" parameter in the "textArea" function