Skip to:
The bookmarks portlet doesn't escape any HMTL in any field So I could enter </div</div></div> and really break the layout. See screenshot.
Actually, the affects version is 1.0.10 but it is not in the list above.
Attached a patch to fix this. Also replaced the URL validation with Commons Validator.
It was allowing through anything that started with http:// but ignoring the actual content of the URL.
So http://<b>bookmark</b> was valid. Fixed now.
The bookmarks portlet doesn't escape any HMTL in any field So I could enter </div</div></div> and really break the layout. See screenshot.
Actually, the affects version is 1.0.10 but it is not in the list above.