I wonder if this is gonna work... <script type="text/javascript"> alert("Discourse is a buggy POS"); </script>
-
Continuing the discussion from SidebarWTFs are not sanitized for mainpage:
I know it's a plugin and not a core-forum-feature and also the mainpage is going to get redesigned.
I also don't even know if it's Discourses fault, but when creating a title in the Sidebar-catetory the title should be sanitized for mainpage.Reproduction:Create a Topic like this: To proceed, open <filename>.dmg (Sidebar-Category with < >)
Expected Result: The Mainpage title looks the same as the Sidebar-Topictitle
Actual Result:
<img src="/uploads/default/2427/c39bddec4b0effb9.png" width="199" height="93">
vs
<img src="/uploads/default/2428/cd123bf09e57c8fc.png" width="635" height="45">Bonus: Not sure how Markdown and other craziness works in TopicTitles but one might wanna look into stripping the resulting Title from crazy shenanigens.
BonusBonus: the Outgoing and incoming links would also like this. Seems pretty abusable, actually... Somebody should write a "I agree with whatever Morbs just said"-script for threadtitles
Filed under: I am sure I emerged this Topic from somewhere but it's not showing
Of course, I couldn't resist.
-
It's not showing on the main page at all right now. I wonder how it selects the ones it shows, it doesn't seem to be just the newest or most active ones.
-
It's not showing on the main page at all right now. I wonder how it selects the ones it shows, it doesn't seem to be just the newest or most active ones.
It only takes topics from "Side Bar WTF" category. I wanted to leave it in bugs to avoid breaking the main page, but if you visit the linked thread, you'll get the popup.
-
This is a really concerning oversight for web software...
-
I find it also pretty alarming that none of the other communities that use this software ever found this?
It seems like something spammers would just have a fieldday with.I just wrote a paragraph here that explained pretty site-breaking things with and addendum to not do it but took it out because I felt like giving ideas to people ...but since everybody in here is an IT-person I guess I can't be the only one to be able to add 1 + 1 together
People, be reasonable
@codinghorror Can't you for a while just strip all tags from Titles until a real fix is out? This does seem like something CS would have made possible
Filed under: @subscript_error is apaarently not reasonable
-
I don't really understand the problem. Surely it's just a matter of looking for anywhere the title is output and HTML encoding it. That should be a quick fix.
-