Squaremap-signs allows for injecting HTML
CodexNotFound opened this issue · comments
CodexNotFound commented
James Lyne commented
This is an issue that needs fixing in squaremap-signs itself, as it is adding unsanitised user input into the marker tooltip and will be causing the same issue in the stock frontend.
Squaremap markers are allowed to include html in their tooltips and the official addons make frequent use of this, so it cannot be stripped out without breaking compatibility.