Does it work?
-
Continuing the discussion from Can we do link injection?:
Continuing the discussion from Continuing the discussion from Testing .fa-spin oneboxing:
This might work
Well does it?
-
-
-
See note here. You don't need the
</a>
at the start.
-
@sam - does this count as XSS?
i do believe so. and that means we get to give out a gold badger!
-
Nicely done ;)
-
Oh dear...
Off to meta.d with you.
@sam - does this count as XSS?
Reported on meta.d
https://meta.discourse.org/t/links-in-topic-titles-override-topic-link/26837
-
@sam - does this count as XSS?
Only if there's a locally exploitable bug in the composer; this would turn it into remotely exploitable.
-
I think its badge worthy just not sure if XSS is the proper name for the badge ..
-
It's HTML. There's no scripting involved. @PJH
<kbd>HTML Award</kbd>
is the badge.
-
I bumped a post to a new flag: HTML injection via reply as linked topic: Who gets badges?