Reminds me of a smallish forum I used to visit in the early 00's that used Ultimate Bulletin Board (a fairly popular piece of forum software at the time). While you could easily enable or disable html in posts, it did zero sanitation of thread titles or usernames, and the only way it limited the size of either was through the maxlength property of the input field. Once you edited that out of the html, you could do anything. Long story short, the owners were basically absent and not interested in improving the code, and once we all got bored of griefing the everloving f*ck out of the place, we started enhancing the site ourselves (think cornifying, but with pokemon). Then someone discovered that you could easily hack into the admin functions because the file with the user data was just a csv file and the delimiter character wasn't filtered from new usernames.
Anyway, I don't post much to begin with, but this new Discourse thing seems to be catastrophically bad