HTML in titles not escaped properly when replying as new topic
-
-
That needs to be reported on meta.d
You gonna do it or shall I?
-
I don't have an account there
-
Meh, is it really that big of a deal?
<details>
is a acceptable tag. It's not like you can abuse it to use arbitrary HTML in a post, right?On the other side if some casual computer user used "Reply as linked topic" and the post had weird < and stuff in it wouldn't that be confusing as well?
Filed Under: Food for thought
-
It's a big deal insofar as it's not displaying the title of the thread in a link, like it should. It may not be an exploit, but it's still significant.
-
It's a big deal insofar as it's not displaying the title of the thread in a link, like it should. It may not be an exploit, but it's still significant.
I wonder what happens with markdowny titles.
-
I wonder what happens with markdowny titles.
http://what.thedailywtf.com/t/and-now-for-the-test/8735?u=raceprouk
-
I was faster.
Or not, because of discosort.
-
Did you guys just try to hanzo / inb4 each other with testing this?
Filed Under: That's a new one...
-
HanzodiscotestINB4?
-
I was frist! But I was more ambitious and went full
fa-spin
right away!It didn't work :(
-
-
Well, yes.
The topic's title goes unescaped into the post.
From there the normal post bakery takes over - and that one removesfa-spin
and<script>