Welcome Guest, Not a member yet? Register   Sign In
<script>document.write('FIX THIS!!!!!!!!!!!')</script>
#1

(This post was last modified: 12-16-2015, 07:13 PM by Nikos.)

I noticed that in the homepage the latest forum topic titles are not html escaped.
This is a test topic to see if I it is actually possible to run javascript.
Reply
#2

(This post was last modified: 12-16-2015, 07:15 PM by Nikos.)

Unfortunetly it works... A member is actually able to add javascript code to the codeigniter.com homepage.

Fix this please!
Reply
#3

Er, I don't know what you mean ... I see "<script>document.write('FIX THIS!!!!!!!!!!!')</script>" in the thread title, and nothing javascript is executed.
Reply
#4

The problem is on the home page of codeigniter.com. As you can see in the attached picture (or by visiting the homepage), the topic title is "FIX THIS!!!" and not <script>document... [etc]. For example, if I create a topic with title: <script>alert('Jon snow is alive');</script>, every visitor of codeigniter.com homepage will se a javascript popup with the message 'Jon snow is alive', which is always a bad thing because spoilers suck.

Attached Files Thumbnail(s)
   
Reply
#5

(12-16-2015, 08:12 PM)ciadmin Wrote: Er, I don't know what you mean ... I see "<script>document.write('FIX THIS!!!!!!!!!!!')</script>" in the thread title, and nothing javascript is executed.

The forum is escaping it but the codeigniter.com frontpage is not... I am mentioned this in the PM what I sent to you.
Reply
#6

Ahhh - makes sense. Thank you!
Fixed it Smile
Reply




Theme © iAndrew 2016 - Forum software by © MyBB