Anonymous registration permits name with javascript payload

Description

Kindly reported to Openfire Security Email List by Sven Tantau

If anonymous registration via xmpp server is enabled, an attacker can
generate one user that contains javascript payload inside the 'name'
parameter.

Once the administrator with access to the openfire webinterface looks
at the list of users, the payload would run.

Environment

None

Activity

Show:
Tom Evans
April 17, 2014, 5:02 PM

Merged into master from pull request #1.

Fixed

Assignee

Guus der Kinderen

Reporter

Daryl Herzmann