This issue is easiest explained by a screenshot:
The title of the thread linked to contains the <input> starttag: Help on clear text in <input> !!.
I'm wondering what would happen if someone inserted an <img> tag in a thread title...
Edit: Perhaps the solution is not to strip them, but to convert them so that they are not parsed as HTML.
Edit: This is reproducable by opening the thread I linked to while having the activity stream opened in another tab.
Jump to PostFixed!! Thanks for the catch!!
Interesting find, hopefully Dani or one of the other admins can take a look at this as it clearly is a security problem.
Fixed!! Thanks for the catch!!
Perhaps a redundant question: is it also fixed for member usernames?
Or does the registration process prevent users from putting HTML in their nicknames?
Edit: What about a user that does a name change?
Perhaps a redundant question: is it also fixed for member usernames?
Yes.
Or does the registration process prevent users from putting HTML in their nicknames?
It doesn't, although usernames are limited by the number of characters.
Edit: What about a user that does a name change?
Same.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.
