Hacker Read

stevekemp · 2012-12-16 16:46:31

It looks like you don't escape content of submissions, allowing XSS attacks to be made.

wesley | karma 529 | avg karma 2.2 · | 2010-03-04 12:13:31+00:00

Supposedly prevents XSS attacks via submitted HTML.

uaygsfdbzf | karma 242 | avg karma 1.25 · | 2014-02-16 12:44:33+00:00

Ehh.. that's some serious XSS vulnerability there.

cetra3 | karma 603 | avg karma 5.74 · | 2018-07-05 03:37:25

If you're using this in your site as it stands, you are opening up XSS attacks as it does not appear to sanitise user input.

NKCSS | karma 1312 | avg karma 2.01 · | 2013-05-06 07:00:56+00:00

That's a XSS then :)

porges | karma 196 | avg karma 2.65 · | 2013-08-01 20:47:36+00:00

> If you escape it then there's no XSS issue.

Not XSS, but you need to be careful about allowing through things like the LTR/RTL override characters.

reply

jarito | karma 429 | avg karma 3.27 · | 2011-07-18 13:20:17+00:00

Is it just me or is the first example on their front page a great example of XSS? Unless their standard string formatting routines are performing escaping, this is pretty awful.

zlies | karma 33 | avg karma 3.0 · | 2024-05-03 21:31:04

Seems like there are some XSS vulnerabilities :D

tzury | karma 8693 | avg karma 4.44 · | 2014-02-03 04:14:52+00:00

You need to escape user input to avoid XSS on the page.

thepete2 | karma 804 | avg karma 3.44 · | 2021-01-27 09:18:01+00:00

Improper input sanitation, you can potentially add raw html to other people's pages (XSS).

namarkiv | karma 217 | avg karma 5.86 · | 2013-12-01 13:44:18

Not XSS. I will disclose more once it is fixed.

btipling | karma 3035 | avg karma 3.93 · | 2013-06-01 20:41:12

Those all look like XSS vulnerabilities to me.

bencoder | karma 788 | avg karma 2.91 · | 2016-08-19 19:09:26+00:00

Looks like someone has found an XSS attack :D

koolba | karma 34224 | avg karma 5.09 · | 2017-04-24 11:46:01

XSS is a malicious version of the more general problem of not escaping user inputs. its much easier to escape on output rather than input as you can't really tell what's "acceptable". It's also more robust as out of band updates (say direct database updates of comments) get outputted correctly too.

If I have a comment forum with input filtering (rather than output escapong) I can't restrict it to just letters numbers and punctuation or the user's can't discuss HTML tags!

reply

CodesInChaos | karma 2869 | avg karma 2.97 · | 2021-01-14 09:56:48+00:00

I think misguided XSS protection is the most likely culprit here.

68656c6c6f | karma 4 | avg karma 4.0 · | 2014-07-04 16:51:48+00:00

The site is vulnerable to xss

rauar | karma 103 | avg karma 0.79 · | 2012-08-14 06:38:08+00:00

This is the 0% case. No escaping and therefore not safe w.r.t. XSS attacks.

Pxtl | karma 17051 | avg karma 3.07 · | 2013-10-23 20:30:38+00:00

Funny how you can see all the xss attack attempts.

Also, I wonder why some people get a gif.

reply

stevekemp | karma 9243 | avg karma 2.54 · | 2015-02-19 20:36:16+00:00

Indeed, and you'll see they don't filter the input so XSS attacks are possible.

Just enter a question of "<script>foo</script>", and reload the main index to see it happen.

reply

throwaway2048 | karma 9048 | avg karma 2.51 · | 2018-01-06 15:33:42+00:00

you dont always control your html due to XSS and CSRF.