SunQuest
           Suggestions & Feedback
 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
User Name:
Password:
Remember me
Go Back   Dev Shed ForumsForum InformationSuggestions & Feedback
Reload this Page

Post title XSS issue

Discuss Post title XSS issue in the Suggestions & Feedback forum on Dev Shed.
Post title XSS issue Use this forum for either suggesting ideas or submitting feedback about our forums. Suggestions, constructive criticism, and other feedback appreciated.

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
« Previous Thread | Next Thread »  
Thread Tools Search this Thread Rate Thread Display Modes
 
Unread Dev Shed Forums Sponsor:
Generate data entry and reporting .NET Web apps in minutes, straight from your database. Read our FREE whitepaper “Build Web 2.0 Applications Without Hand-Coding” Download now!
  #1  
Old August 21st, 2006, 12:38 PM
BurningSnowman's Avatar
BurningSnowman BurningSnowman is offline
It
Dev Shed Beginner (1000 - 1499 posts)
  
Join Date: Sep 2003
Location: UK
Posts: 1,217 BurningSnowman User rank is Captain (20000 - 30000 Reputation Level)BurningSnowman User rank is Captain (20000 - 30000 Reputation Level)BurningSnowman User rank is Captain (20000 - 30000 Reputation Level)BurningSnowman User rank is Captain (20000 - 30000 Reputation Level)BurningSnowman User rank is Captain (20000 - 30000 Reputation Level)BurningSnowman User rank is Captain (20000 - 30000 Reputation Level)BurningSnowman User rank is Captain (20000 - 30000 Reputation Level)BurningSnowman User rank is Captain (20000 - 30000 Reputation Level)BurningSnowman User rank is Captain (20000 - 30000 Reputation Level) 
Time spent in forums: 1 Month 5 Days 2 h 23 m 33 sec
Reputation Power: 221
Post title XSS issue
Hi guys,

HTML is not being escaped in post titles. (Thread titles are fine.)

I noticed this by accident in someone else's new thread. I see you've been testing HTML entities, so it might just have crept in from recent changes or something.

I've posted a JS injection demo in the outhouse (pops up 2 alerts at present).

This could be used to hijack accounts. I'd suggest you just find the code that outputs post titles and run it through htmlspecialchars() if there isn't already a vB formatting function it should be going through.

BurningSnowman
Reply With Quote
  #2  
Old August 21st, 2006, 01:27 PM
thaminda's Avatar
thaminda thaminda is offline
Contributing User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Sep 2004
Posts: 396 thaminda User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)thaminda User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)thaminda User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)thaminda User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)thaminda User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)thaminda User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)thaminda User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)thaminda User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)thaminda User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)thaminda User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)thaminda User rank is Lieutenant Colonel (40000 - 50000 Reputation Level) 
Time spent in forums: 1 Week 3 Days 19 h 45 m 3 sec
Reputation Power: 415
This is fixed now, if you still see any issues please let us know.
Comments on this post
BurningSnowman agrees: Speedy! Thanks.
Reply With Quote
Reply

Viewing: Dev Shed ForumsForum InformationSuggestions & Feedback > Post title XSS issue

« Previous Thread | Next Thread »

Thread Tools  Search this Thread 
Search this Thread:

Advanced Search
Display Modes  Rate This Thread 
Linear Mode Linear Mode
Rate This Thread:


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox
Forum Jump


Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
  
 





© 2003-2008 by Developer Shed. All rights reserved. DS Cluster 4 hosted by Hostway