Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
[security] Persistent XSS issue (Opera and older IE)
Vanilla 1.1.8 transforms this BBCode to an image tag executing JavaScript w/o user interaction. Apparently Vanilla 2.0 Beta is not affected.
A valid fix would forbid protocols other than /^https?:\/\// (Regex).
Greetings,
.mario
[img]javascript:alert(1)//[/img] // becomes <img src="javascript:alert(1)">
A valid fix would forbid protocols other than /^https?:\/\// (Regex).
Greetings,
.mario
0
Comments