HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.

JS injection using BBcode.

edited October 2005 in Vanilla 1.0 Help
Hi everyone. I would like to prevent you that there are some security issues allowing users to use BBCode extension. In fact, the problem is that the string is not correctly parsed when inserting images (and links), which may allows someone to add some javascript actions, flash or wathever he wants. Here is a trivial exemple of what could be done: [img]http://www.somewebsite.com/image.png" onload="javascript:alert('hello world')[/img] This will show the image and display a pop-up saying 'hello world', nothing dangerous, but it could be really a big hole, allowing users to steal passwords of the others. My suggestion, for the moment, is to disable this extension while a better parsing is founded. Cheers, gizmo


  • Crikey, Can you add this to the bug report as high importance? Perhaps whoever wrote the latest bbcode extension should be encouaged to update it.
  • MarkMark Vanilla Staff
    Wow. Nice find.
  • There are other js injection possibilities. See the provided link - I don't know if it belongs to vanilla, but want to share it (as I thought about js in css weeks ago) as an information resource: http://javascript.weblogsinc.com/entry/1234000770064356/
  • MarkMark Vanilla Staff
    Wow. thanks for the link.
This discussion has been closed.