[CLOSED] XSS Injection NumberFIeld

[Marcelo]

I found an XSS injection on NumberField component.

Here is the steps to reproduce this issue.

• Create new project;
• Put this code;
  

  <body>
      <form runat="server">
      <!-- Resource Manager -->
      <ext:ResourceManager ID="ResourceManager" runat="server" />
      <ext:Panel ID="Panel" runat="server" Height="300" Width="500" Title="Panel">
          <Items>
              <ext:NumberField ID="NumberField1" FieldLabel="Number" runat="server">
              </ext:NumberField>
          </Items>
      </ext:Panel>
      </form>
  </body>

• Run project;
• At page, copy and paste the code below inside the field;
  

  <font color='red' size='20'>Hi!</font>

• Wait for the browser to process the html code;
• Place the mouse pointer at red line to see the message. As image shown;

[Vladimir]

I don't think that it is XSS issue. Lets consider what is XSS (wikipedia)

XSS enables attackers to inject client-side script into Web pages viewed by other users.

In your case, tooltip is shown for the same user. It is same if we consider javascript execution in browser console as XSS