Input from fields with TinyMCE widget (TestPlan: Summary, TestCase: Breakdown, Setup, Action, Expected Results) is not sanitized and is rendered as is to the clients. The offending function is: def html2text(value): """ Pipes given HTML string into the text browser W3M, which renders it. Rendered text is grabbed from STDOUT and returned. """ try: cmd = "w3m -dump -T text/html -O ascii" proc = Popen(cmd, shell = True, stdin = PIPE, stdout = PIPE) return proc.communicate(str(value))[0] except OSError: # something bad happened, so just return the input return value An attacker can add an arbitrary javascript to, for example, a TestPlan Summary and the javascript is then executed for everyone viewing the test plan.