+- Drunkard's Walk Forums (http://www.accessdenied-rms.net/forums)
+-- Forum: General (http://www.accessdenied-rms.net/forums/forumdisplay.php?fid=1)
+--- Forum: Website (http://www.accessdenied-rms.net/forums/forumdisplay.php?fid=4)
+--- Thread: XSS Error (/showthread.php?tid=14428)
XSS Error - Labster - 08-04-2022
Actually it might just be script injection... requires user interaction. Pretty low level vulnerability so far.
![[+]](/images/collapse_collapsed.png "[+]")
Click me!' - alert('hack!') - '1RE: XSS Error - Bob Schroeck - 08-05-2022
Mm. Looking at what you posted there, it looks like it's more likely an issue with the spoiler plug-in I use than MyBBS proper, but I'll submit it to the MyBBS website after work.
RE: XSS Error - Labster - 08-05-2022
Yes, well, the spoiler plug-in is limiting some unsafe characters, but not others — I had to use the hyphen to separate terms. But this is braindead security anyway. I’m sure I could write a better plugin.
RE: XSS Error - Labster - 08-06-2022
Looking at the code of the spoiler plugin:
1) it's definitely the problem
2) I'm pretty sure I could string together arbitrary javascript because it allows dot and parentheses, which means I have access to eval() and can generate characters I need with String.fromCharCode().
Your risk profile is kind of limited because members need to be approved, and it still needs user interaction.
RE: XSS Error - Bob Schroeck - 08-06-2022
Given that, as you point out, the risk is low, I think I'll relax about it.