[Bug]: HTML tags in TXT records should be allowed.

[JulienPalard]

Describe the problem

Hi,

Looks like #358 wrongly "fixed" an XSS in the input side instead of in the HTML rendering side.

Feels to me like fixing an SQL injection by disallowing quotes in passwords.

Also I am not aware of a spec disallowing HTML in DNS TXT records.

I have not searched extensively if there's an XSS in poweradmin though, but I currently have HTML in a TXT record (probably set manually then), and it is properly HTML encoded in the textarea of index.php?page=edit.

As said in the last sentence: I currently have HTML in a TXT record and cannot modify it, I'm getting Error: You cannot use html tags for this type of record..

Steps to reproduce

1. Go to the index.php?page=edit page of a domain.
2. Create (or edit) a TXT record with some HTML in it like <img src=/foo.jpg>
3. Get Error: You cannot use html tags for this type of record.

Poweradmin version

v3.8.1, but the test still exists on master.

Database

PostgreSQL

Additional information (optional)

No response

[edmondas]

Thanks for reporting this. You're right - the original fix for #358 blocked input instead of properly escaping output. TXT records can legitimately contain < and > per RFC 1035.

Fixed in release/3.x, release/4.x, and master.

[JulienPalard]

@edmondas thank you!