CodeIgniter Forums
<script>document.write('FIX THIS!!!!!!!!!!!')</script> - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forum-5.html)
+--- Forum: General Help (https://forum.codeigniter.com/forum-24.html)
+--- Thread: <script>document.write('FIX THIS!!!!!!!!!!!')</script> (/thread-63866.html)



<script>document.write('FIX THIS!!!!!!!!!!!')</script> - Nikos - 12-16-2015

I noticed that in the homepage the latest forum topic titles are not html escaped.
This is a test topic to see if I it is actually possible to run javascript.


RE: <script>document.write('FIX THIS!!!!!!!!!!!')</script> - Nikos - 12-16-2015

Unfortunetly it works... A member is actually able to add javascript code to the codeigniter.com homepage.

Fix this please!


RE: <script>document.write('FIX THIS!!!!!!!!!!!')</script> - ciadmin - 12-16-2015

Er, I don't know what you mean ... I see "<script>document.write('FIX THIS!!!!!!!!!!!')</script>" in the thread title, and nothing javascript is executed.


RE: &lt;script&gt;document.write('FIX THIS!!!!!!!!!!!')&lt;/script&gt; - Nikos - 12-16-2015

The problem is on the home page of codeigniter.com. As you can see in the attached picture (or by visiting the homepage), the topic title is "FIX THIS!!!" and not <script>document... [etc]. For example, if I create a topic with title: <script>alert('Jon snow is alive');</script>, every visitor of codeigniter.com homepage will se a javascript popup with the message 'Jon snow is alive', which is always a bad thing because spoilers suck.


RE: <script>document.write('FIX THIS!!!!!!!!!!!')</script> - orionstar - 12-16-2015

(12-16-2015, 08:12 PM)ciadmin Wrote: Er, I don't know what you mean ... I see "<script>document.write('FIX THIS!!!!!!!!!!!')</script>" in the thread title, and nothing javascript is executed.

The forum is escaping it but the codeigniter.com frontpage is not... I am mentioned this in the PM what I sent to you.


RE: <script>document.write('FIX THIS!!!!!!!!!!!')</script> - ciadmin - 12-16-2015

Ahhh - makes sense. Thank you!
Fixed it Smile