CodeIgniter Forums

Full Version: <script>document.write('FIX THIS!!!!!!!!!!!')</script>
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I noticed that in the homepage the latest forum topic titles are not html escaped.
This is a test topic to see if I it is actually possible to run javascript.
Unfortunetly it works... A member is actually able to add javascript code to the codeigniter.com homepage.

Fix this please!
Er, I don't know what you mean ... I see "<script>document.write('FIX THIS!!!!!!!!!!!')</script>" in the thread title, and nothing javascript is executed.
The problem is on the home page of codeigniter.com. As you can see in the attached picture (or by visiting the homepage), the topic title is "FIX THIS!!!" and not <script>document... [etc]. For example, if I create a topic with title: <script>alert('Jon snow is alive');</script>, every visitor of codeigniter.com homepage will se a javascript popup with the message 'Jon snow is alive', which is always a bad thing because spoilers suck.
(12-16-2015, 08:12 PM)ciadmin Wrote: [ -> ]Er, I don't know what you mean ... I see "<script>document.write('FIX THIS!!!!!!!!!!!')</script>" in the thread title, and nothing javascript is executed.

The forum is escaping it but the codeigniter.com frontpage is not... I am mentioned this in the PM what I sent to you.
Ahhh - makes sense. Thank you!
Fixed it Smile