The url share/service/components/form/control-wrapper can have it's parameters modified to include script which then executes in the user's browser.
Steps to reproduce:
- Setup a windows client with IE8 and Fiddler
( http://www.telerik.com/fiddler )
- As admin, log into Share and go to Admin-> More -> Replication Jobs
- Start Fiddler, Hit F11 (to break Before Requests are passed through)
- In Share, click on "Create Job"
- Inspect each call in Fiddler, until you get to the POST request to share/service/components/form/control-wrapper with htmlid=alf-id4
- In Fiddler, change htmlid=alf-id4 to
It's best to do this in the "WebForms" section in Fiddler, so that everything is properly escaped.
- In Fiddler, click on "Break On response" and check that the htmlid value is still shown in the returned function:
- In Fiddler click on "Run to Completion"
- No Pop-Up is shown
- Alert pop is shown