URL Encoded JavaScript that is passed as a form parameter is executed when the form is loaded

 

Symptoms

If JavaScript is copied and pasted into 'SN' parameter in SmartForm URL, it gets executed on load. For instance, URL like:

https://SomeUrl/Runtime/Runtime/Form/SomeForm/?SN=%3Cscript%3Ealert%28%22hi%22%29%3C/script%3E
 

Diagnoses

The issue was logged as a bug.
 

Resolution

The issue was corrected in the Smartforms rollup 4611.21