• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
<script>document.write('FIX THIS!!!!!!!!!!!')</script>

#1
I noticed that in the homepage the latest forum topic titles are not html escaped.
This is a test topic to see if I it is actually possible to run javascript.
Reply

#2
Unfortunetly it works... A member is actually able to add javascript code to the codeigniter.com homepage.

Fix this please!
Reply

#3
Er, I don't know what you mean ... I see "<script>document.write('FIX THIS!!!!!!!!!!!')</script>" in the thread title, and nothing javascript is executed.
Reply

#4
The problem is on the home page of codeigniter.com. As you can see in the attached picture (or by visiting the homepage), the topic title is "FIX THIS!!!" and not <script>document... [etc]. For example, if I create a topic with title: <script>alert('Jon snow is alive');</script>, every visitor of codeigniter.com homepage will se a javascript popup with the message 'Jon snow is alive', which is always a bad thing because spoilers suck.


Attached Files Thumbnail(s)
   
Reply

#5
(12-16-2015, 08:12 PM)ciadmin Wrote: Er, I don't know what you mean ... I see "<script>document.write('FIX THIS!!!!!!!!!!!')</script>" in the thread title, and nothing javascript is executed.

The forum is escaping it but the codeigniter.com frontpage is not... I am mentioned this in the PM what I sent to you.
Reply

#6
Ahhh - makes sense. Thank you!
Fixed it Smile
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.