The color input fields accept HTML and JavaScript code without immediate rejection. When malicious code like <script>alert('XSS')</script> is entered, the system accepts it at the form level and only sanitizes it during backend processing. While the actual XSS attack is prevented by backend sanitization, the lack of client-side validation creates a poor user experience and represents a security validation gap.

Steps to Reproduce:

Navigate to: Administrator > Templates > Styles > Cassiopeia Extended - Default > Colour Settings

Triple-click "Header Background Colour" field

Paste: <script>alert('XSS')</script>

Click: Save button

Result: Code is accepted, then silently sanitized to default value on save

Expected Result:

HTML/JavaScript code immediately rejected

Visual indication that input is invalid

Error message: "Only color values (e.g., rgb(255, 0, 0)) are allowed"

Save button disabled until valid value entered

Actual Result:

Code accepted in form field

No immediate validation feedback

Backend sanitization silently removes code

User sees their input disappear with no explanation

Affected Fields: All color input fields in Colour Settings tab

Root Cause:

Missing input pattern validation

No client-side HTML sanitization check

No user feedback mechanism

Current Mitigation:
Backend sanitization prevents actual XSS execution, but UX is poor