User Card Guy is the new Signature Guy
-
You ever find a bug and you almost don't want to tell anyone about it, because then it's just a matter of time before the fun is over? But if you never tell anyone, then no one else can enjoy it? It sucks.
I'd rather take credit for awesome though, however fleeting the awesome may be. (And in spite of the fact that it didn't exactly take NSA-level hacking skills to uncover.) Click on my avatar icon to enjoy User Card Guy.
The meddling developers better not fix this one.
Filed under: I expect everyone to have a user card guy by the end of the weekend
-
If it's what I think it is, it's already broken?
EDIT: no, not already broken. Only exposed elsewhere that gives away how you did it. Given the level of vulnerability in question... it's going to get fixed.
-
Yeah I figure it'll maybe last an hour.
-
Shame because it's cute Sadly security trumps good taste.
-
This topic is now invisible. It will no longer be displayed in any topic lists. The only way to access this topic is via direct link.
-
So sorry, I need to hide this, its actually a confirmed XSS :( fixing now, will deploy the fix shortly
Filed under: oh my, this is the second XSS I fixed this week
-
I got no problem with it being hidden; it IS a confirmed XSS vulnerability after all. The OP may feel differently.
XSS is a threat that applies to us all in the web programming world. Rule 1: assume the user is putting in bad content and never ever ever do anything with it until you know otherwise.
-
Yeah I am so so so thankful the community here are testing all this stuff. We should have been a bit stricter reviewing the change that introduced it, it was a newbie mistake :(
-
CSS should be improved to truncate, but XSS crisis averted. Change is deployed here (you may need to refresh your browser)
Thanks heap.
Filed under: My new location is WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
-
That's what you get when you introduce software to people that specialise in making and breaking it. Especially when at least initially they didn't like it - and a lot of the stress testing was 'I don't like this, how can I break it?'
-
Aww... sad but necessary.
Unhide the topic for posterity? User Card Guy lives on in my heart.
-
For the record this was my bug.
-
Unhide the topic for posterity?
We can't really, it will become Google searchable and then the poor sods running old versions of Discourse suffer.
-