Stored XSS at the Tag field on the "Create New Spending Transaction" page.

**Description:**

Budget version v0.19.0-16-gd2ebb2b allows remote attackers to inject malicious scripts in line 44  [`TransactionController.php`](https://github.com/range-of-motion/budget/blob/d2ebb2b9f64adb0e937629e4c280dbffd1c6fac0/app/Http/Controllers/TransactionController.php#L44).
```php
'label' => '<div class="row"><div class="row__column row__column--compact row__column--middle mr-1"><div style="width: 15px; height: 15px; border-radius: 2px; background: #' . $tag->color . ';"></div></div><div class="row__column row__column--middle">' . $tag->name . '</div></div>' // phpcs:ignore

```

**Proof of Concept:**

1. Create a new tag with the payload `<img src="a" onmouseover="alert(1)">`.

![Image](https://github.com/user-attachments/assets/75164395-e8f2-4fce-a5a8-ff63a1654103)

2. The stored XSS will be triggered in the `Tag` field on the "Create New Spending Transaction" page.

![Image](https://github.com/user-attachments/assets/cfe402ed-93e7-4b7f-90b8-3e0998807b2d)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Stored XSS at the Tag field on the "Create New Spending Transaction" page. #514

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

Stored XSS at the Tag field on the "Create New Spending Transaction" page. #514

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions