form: display-edit: add safe default renderer for display field
Due to the value binding on can get interesting effects when the
displayEdit field is in write (input) mode, as then the values still
get relayed to the display field, which itself is wanted as the field
supports live-switching, but even though the display field is
disabled and hidden, the value will be still rendered and a user can
XSS themselves inserting things like:
<img src="a" onerror="alert('cookie:'+document.cookie);"></token
And even though it's harmless (your browser knows your own cookie
already), it is rather odd and simply to cheap to harden against (per
default) to not do so.
Reported-by: Marcel Fromkorth <marcel.fromkorth@8com.de>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
projects / proxmox-widget-toolkit.git / commit