Opera
Search the knowledge base
Advisory: Built-in XSLT templates can allow cross-site scripting
Severity
Highly Severe
Problem Description
Built-in XSLT templates incorrectly handle escaped content and can cause it to be treated as markup. If a site accepts content from untrusted users, which it then displays using XSLT as escaped strings, this can allow scripted markup to be injected. The scripts will then be executed in the security context of that site.
Opera's Response
Opera Software has released Opera 9.63, where this issue has been fixed.
Credits
Thanks to Robert Swiecki of the Google Security Team for reporting this issue to Opera Software.
Browse through articles in the same categories:
advisory
Support
- Overview
- Get started
- Register Opera Mobile
- Knowledge base
- Online communities
- Reporting bugs
- Opera Web Mail
- Access Opera
- Premium support
- Contact support
- Documentation
Opera Help
Need help? Hit F1 anytime while using Opera to access our online help files, or go here.
View mobile site
Copyright © 2009 Opera Software ASA. All rights reserved.