Allowed_html configuration not working in OJS version

Hi There,

I have installed OJS version and found following issue in this version:

  1. I am able to insert input value by using input field in dashboard. Please see the attachment 1.png .

  2. The code got executed on Journal Management Setting page. Please see the attachment 2.png .

Please help us regarding this issue.




Hi @abmishra,

If you’re using custom scripts, a better approach might be to use the custom header plugin. I don’t think it will work in the way that you’ve done it within the existing settings forms in OJS. This thread provides a good overview of the plugin and how its used: Use Case/Examples for Custom header plugin for OJS - #8 by asmecher

PKP Team

@rcgillis I guess the intention of this post is not a usage of custom scripts, but a bug report. See the other post: Allowed html tag issue

Hi @abmishra,

In the future, if you think you may be encountering a security issue, please follow the instructions here:

I’ve entered <script>alert(1)</script> in the “Preferred Public Name” field, but do not see the alert as you report. Can you check the page source to see where the <script>alert(1)</script> is being served and interpreted? (Is it possible you were entering the same script in another field that may be responsible?)

Alec Smecher
Public Knowledge Project Team