Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
XSS vulnerability
est
New
I was able to insert this code into almost any field on my About Me page:
<script>alert("Hello, XSS!");</script>
The only restriction was the field length.
And the script works and displays alert. As you could know malicious person might get access to a user's session using this.
Is there a way to escape < > chars in the user input?
Tagged:
0
Answers
you might want to use my plugin
http://vanillaforums.org/addon/myprofile-plugin
It automatically escapes using Gdn_Format::Text and Gdn_Format::Auto
grep is your friend.
@zodiacdm
grep is your friend.
@x00
Thanks, I've posted a report on your plugin page.