I wonder if this is gonna work... <script type="text/javascript"> alert("Discourse is a buggy POS"); </script>



  • Continuing the discussion from SidebarWTFs are not sanitized for mainpage:

    @Kuro said:

    I know it's a plugin and not a core-forum-feature and also the mainpage is going to get redesigned.
    I also don't even know if it's Discourses fault, but when creating a title in the Sidebar-catetory the title should be sanitized for mainpage.

    Reproduction:Create a Topic like this: To proceed, open <filename>.dmg (Sidebar-Category with &lt; &gt;)
    Expected Result: The Mainpage title looks the same as the Sidebar-Topictitle
    Actual Result:
    <img src="/uploads/default/2427/c39bddec4b0effb9.png" width="199" height="93">
    vs
    <img src="/uploads/default/2428/cd123bf09e57c8fc.png" width="635" height="45">

    Bonus: Not sure how Markdown and other craziness works in TopicTitles but one might wanna look into stripping the resulting Title from crazy shenanigens.

    BonusBonus: the Outgoing and incoming links would also like this. Seems pretty abusable, actually... Somebody should write a "I agree with whatever Morbs just said"-script for threadtitles 😃

    Filed under: I am sure I emerged this Topic from somewhere but it's not showing

    Of course, I couldn't resist.



  • It's not showing on the main page at all right now. I wonder how it selects the ones it shows, it doesn't seem to be just the newest or most active ones.



  • @marinus said:

    It's not showing on the main page at all right now. I wonder how it selects the ones it shows, it doesn't seem to be just the newest or most active ones.

    It only takes topics from "Side Bar WTF" category. I wanted to leave it in bugs to avoid breaking the main page, but if you visit the linked thread, you'll get the popup.



  • This is a really concerning oversight for web software...


  • Winner of the 2016 Presidential Election

    I find it also pretty alarming that none of the other communities that use this software ever found this?
    It seems like something spammers would just have a fieldday with.

    I just wrote a paragraph here that explained pretty site-breaking things with and addendum to not do it but took it out because I felt like giving ideas to people ...but since everybody in here is an IT-person I guess I can't be the only one to be able to add 1 + 1 together

    People, be reasonable

    @codinghorror Can't you for a while just strip all tags from Titles until a real fix is out? This does seem like something CS would have made possible 😃

    Filed under: @subscript_error is apaarently not reasonable



  • I don't really understand the problem. Surely it's just a matter of looking for anywhere the title is output and HTML encoding it. That should be a quick fix.


  • Banned


Log in to reply