XSS on product's short description (Nop4.4)

1 month ago
I just created a total new instance of Nop4.4 with a void database.
Then I created a product with "<script>alert("🏴‍☠️Just Hacked by XSS🏴‍☠️");</script>" in short description and enabled the "Show on home page" checkbox.
Then for every user that goes on the homepage, the script starts running.
That also works with an Excel import.

Is it a real security issue or not ?
1 month ago
It's by design. We allow a store owner to enter any information because it would be weird if a store owner wants to hack his own store. But anyway if you want to avoid such behavior, please open this file and replace
@Html.Raw(Model.ShortDescription)

with
@Model.ShortDescription
1 month ago
Thanks a lot for your answer.
I think too that  it would be weird if a store owner tries to hack his own store. But I was thinking about allowing a vendor (maybe a tiers person) to introduce scripts via the catalog.

Best regards and thanks again for your responsiveness