From cd0b721f9d92fc08d0c0e5a6a49fdb5ad3ab16fe Mon Sep 17 00:00:00 2001
From: Alexander Druffel <alexander.druffel@gmx.de>
Date: Thu, 4 Jan 2018 19:32:26 +0100
Subject: [PATCH] fixing xss in exhibits editor

---
 ndxzstudio/module/exhibits/edits.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ndxzstudio/module/exhibits/edits.js b/ndxzstudio/module/exhibits/edits.js
index 0dd01cb..918a1c1 100644
--- a/ndxzstudio/module/exhibits/edits.js
+++ b/ndxzstudio/module/exhibits/edits.js
@@ -248,6 +248,7 @@ function updateText(ida)
 	{
 		// silly that it really needs 'name' instead of 'id'
 		var text = tinyMCE.getInstanceById('content').getHTML();
+		text = text.replace("<script>", "") // Simple XSS Protection
 	}
 	
 	$.post('?a='+action, { upd_jxtext : 'true', v : text, id : ida }, 
@@ -769,4 +770,4 @@ function create_exhibit(state)
 				window.parent.location.href = html;
 		});
 	}
-}
\ No newline at end of file
+}