NewspaperCrane
Well-Known Member
I'm just going to leave this here.
Wooty, I am disappoint.
Wooty, I am disappoint.
-
You're viewing the Team9000 Archives. These old threads are closed to new comments, but if something interests you or you have a question, feel free to open a new thread in the main forums.
<img src="http://i.imgur.com/CoAa7.png" />
- Thread starter NewspaperCrane
- Start date
NewspaperCrane
Well-Known Member
The problem is you can embed more HTML than just an image. I'm not even sure if it's just html.
NewspaperCrane
Well-Known Member
I'm sure wooty will have this fixed before long. I'm wondering if it's a Xen foro glitch though.
edit: http://xenforo.com/community/threads/img-src-http-i-imgur-com-coaa7-png.27415/
edit: http://xenforo.com/community/threads/img-src-http-i-imgur-com-coaa7-png.27415/
NewspaperCrane
Well-Known Member
Yes, it's probably a bug in the team9000 layout... to my knowledge having a breadcrumb like that isn't standard in Xenforo, which means it's probably custom code written by wooty.
Solved. PLEASE PLEASE PLEASE - Any time you notice an XSS issue like this, please post it as a critical priority bug on the bug tracker and send me an email as well. I take security issues as a #1 priority, and I didn't notice this thread until just now.
karmahurts
Well-Known Member
Wait could someone explained what just was tested.
breadcrumb titles were not being escaped.
NewspaperCrane
Well-Known Member
Fair warning before you read this post: Crane is posting drunk righ tnow.
I'm sorry sir, I wasn't aware that we had a bug tracker. I should have emailed you though. Normally you pick up on this pretty quickly.
karmahurts
Well-Known Member
Fair enough.