1

This issue is easiest explained by a screenshot:

rmas_screenshot

The title of the thread linked to contains the <input> starttag: Help on clear text in <input> !!.
I'm wondering what would happen if someone inserted an <img> tag in a thread title...

Edit: Perhaps the solution is not to strip them, but to convert them so that they are not parsed as HTML.
Edit: This is reproducable by opening the thread I linked to while having the activity stream opened in another tab.

Edited by mvmalderen

Votes + Comments
Nice find
3
Contributors
4
Replies
32
Views
4 Years
Discussion Span
Last Post by Dani
0

Interesting find, hopefully Dani or one of the other admins can take a look at this as it clearly is a security problem.

0

Perhaps a redundant question: is it also fixed for member usernames?
Or does the registration process prevent users from putting HTML in their nicknames?
Edit: What about a user that does a name change?

Edited by mvmalderen

1

Perhaps a redundant question: is it also fixed for member usernames?

Yes.

Or does the registration process prevent users from putting HTML in their nicknames?

It doesn't, although usernames are limited by the number of characters.

Edit: What about a user that does a name change?

Same.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.