Tested also on the actual demo, which is probably up to date.
Steps to reproduce:
In a comment textfield (or maybe all other html/text-fields, tested with the field "Comment") insert:
Code: Select all
I can read
in the current saved comment
Even worse, emails sent from Rukovoditel show the same behaviour.
So any user of a Rukovoditel installation can infect all the other users with malicious code.