Cross-Site Scripting (XSS)

wagtail is vulnerable to cross-site scripting. Lack of proper escaping of HTML in Wagtail StreamField blocks (CharBlock , TextBlock or a similar user-defined block derived from FieldBlock) allows a user with ability to author StreamField content to inject and execute arbitrary Javascript in a user’s browser.