Site error?



  • Hi,

    I've been visiting this site for a long time now, but on browsing back, I don't remember this happening last time I visited that page..



  • @Diep-Vriezer said:

    Hi,

    I've been visiting this site for a long time now, but on browsing back, I don't remember this happening last time I visited that page..

     
    Oh nice, cross-site scripting vulnerabilities.. Tsk tsk, Alex!

     

    To clarify: the javascript alert is something a user posted in a comment. The previous forum software correctly escaped/stripped out the javascript, but when the old articled are served by the new frontent software, it's just output as html. My guess is that CommunityServer stores the input raw and filters it for display, while Alex' code filteres the input and displays the raw post as it's in the database. Add both together, and you've got content that's not filtered at all. I do wonder if that's fixed for new posts at least..

     

     



  •  

     

    - Yup looks like it's fixed. Oh wait, I suppose I should be trying this on the frontpage, shouldn't I? ...
    <script language="JavaScript">-alert("Boo");</script>



  • Well I'm just glad it didnt redirect all traffic to 'Bath'-girl like websites.


  • ♿ (Parody)

    @Nandurius said:

    To clarify: the javascript alert is something a user posted in a comment. The previous forum software correctly escaped/stripped out the javascript, but when the old articled are served by the new frontent software, it's just output as html. My guess is that CommunityServer stores the input raw and filters it for display, while Alex' code filteres the input and displays the raw post as it's in the database. Add both together, and you've got content that's not filtered at all. I do wonder if that's fixed for new posts at least..

    Correct. The Rich-Text Editor that CommunityServer used stripped most bad stuff out before sending it to the server. CommunityServer accepted the input, but then stripped all bad stuff when displaying it. Why the didn't do it on input is beyond me.

    In my code, comments posted after a certain date are run through the BBCode processor, comments before that are displayed raw. I suppose I could go back and filter the old, raw comments, but I doubt there are many more like that .... (which, btw, has been deleted)



  • @Alex Papadimoulis said:

    @Nandurius said:

    To clarify: the javascript alert is something a user posted in a comment. The previous forum software correctly escaped/stripped out the javascript, but when the old articled are served by the new frontent software, it's just output as html. My guess is that CommunityServer stores the input raw and filters it for display, while Alex' code filteres the input and displays the raw post as it's in the database. Add both together, and you've got content that's not filtered at all. I do wonder if that's fixed for new posts at least..

    Correct. The Rich-Text Editor that CommunityServer used stripped most bad stuff out before sending it to the server. CommunityServer accepted the input, but then stripped all bad stuff when displaying it. Why the didn't do it on input is beyond me.

    In my code, comments posted after a certain date are run through the BBCode processor, comments before that are displayed raw. I suppose I could go back and filter the old, raw comments, but I doubt there are many more like that .... (which, btw, has been deleted)

     It's worth noting that, when posting from certain browsers, older versions of Community Server actually treated the posts as plain text rather than HTML. I also suspect that Community Server may have kept two versions of the post text - the version the user entered and a pre-cleaned one. (Certainly, it kept track of how the post was going to be displayed somehow - it didn't modify the actual post text you got when quoting or editing posts.)

    In other words, just taking the post text as originally entered and treating it as HTML probably won't give you the desired effect...
     


Log in to reply