12-16-2015, 07:12 PM (This post was last modified: 12-16-2015, 07:13 PM by Nikos.)
I noticed that in the homepage the latest forum topic titles are not html escaped.
This is a test topic to see if I it is actually possible to run javascript.
Er, I don't know what you mean ... I see "<script>document.write('FIX THIS!!!!!!!!!!!')</script>" in the thread title, and nothing javascript is executed.
The problem is on the home page of codeigniter.com. As you can see in the attached picture (or by visiting the homepage), the topic title is "FIX THIS!!!" and not <script>document... [etc]. For example, if I create a topic with title: <script>alert('Jon snow is alive');</script>, every visitor of codeigniter.com homepage will se a javascript popup with the message 'Jon snow is alive', which is always a bad thing because spoilers suck.
(12-16-2015, 08:12 PM)ciadmin Wrote: Er, I don't know what you mean ... I see "<script>document.write('FIX THIS!!!!!!!!!!!')</script>" in the thread title, and nothing javascript is executed.
The forum is escaping it but the codeigniter.com frontpage is not... I am mentioned this in the PM what I sent to you.