Topic titles susceptible to script injection
-
-
@RaceProUK
https://what.thedailywtf.com/post/1138590
Can you add that to the report? I don't have access to my GH account at work.
-
@izzion I've already mentioned the possibility of injecting malicious URLs ;)
-
@RaceProUK
I guess I didn't read the initial report as "it can cause things on the unread page to be clickjacked"... I can kind of see it now that I'm reading it that way, but...
-
@RaceProUK damn, I was gonna try and find the XSS vulnerability with this bug today. T_T
-
@RaceProUK
Uhm, should you also mention that we have the fix for #5588 installed?
-
@izzion Good point: added
-
@RaceProUK it'd be the same inside a post, too, right?
[[global:404.message, javascript:alert('XSS GET');//]]
-
@anotherusername Confirmed; added
-
[[global:b, a<script>alert(1);</script>]]
[[global:pagination.out_of, 34<script>alert(1);</script>, 666<script>alert(1);</script>]]
[[error:user-banned-reason, lol gtfo<script>alert(1);</script>]]
[[error:file-too-big, 640<script>alert(1);</script>]]
[[error:title-too-short, 2<script>alert(1);</script>]]
[[error:title-too-long, 42<script>alert(1);</script>]]
[[error:not-enough-tags, over 9000<script>alert(1);</script>]]
[[error:content-too-short, 1.2<script>alert(1);</script>]]
[[error:content-too-long, 8<script>alert(1);</script>]]
[[error:tag-too-short, 15.2<script>alert(1);</script>]]
[[error:tag-too-long, 15.7<script>alert(1);</script>]]
[[modules:composer.user_said_in, @anotherusername, Topic titles susceptible to script injection<script>alert(1);</script>]]
[[modules:composer.user_said, @anotherusername<script>alert(1);</script>]]
[[topic:link_back, Topic titles susceptible to script injection<script>alert(1);</script>, javascript:alert('test');//<script>alert(1);</script>]]...nothing too special there, I guess...
-
This post is deleted!
-
This post is deleted!
-
@RaceProUK the GitHub issue was closed, but the bug is still present in the "Replying to" header when replying to a post in the topic on desktop.
-
Bug also still present in notifications for posts in the thread.
-
@Greybeard
Well, most likely, the fix hasn't been pulled yet :P
-
-
@izzion It has been fixed in some places, just not all places.
-
@izzion said in Topic titles susceptible to script injection:
@Greybeard
Well, most likely, the fix hasn't been pulled yet :PThe fix seemed kinda half-assed to me... it looked like they did some weird replacement so that certain code wouldn't break, but other code still broke.
Then @ben_lubar started going through and he's somehow disabled the parsing in topics and posts, but it's still not fixed when it's parsing the title in notifications, or in the reply message above your post composer...
-
@anotherusername There's also the toaster to consider, but I'm not quick enough to click on any link.