Hmm...
#1289 posted by
metlslime on 2009/06/23 21:56:37
you think that's dangerous...
<a href="javascript:alert('doh')">alert</a>
Maybe i should examine the security implications of this...
#1290 posted by
necros on 2009/06/23 23:47:27
tbh, i prefered it without the a href linking.
i didn't have to hover over links here to see if they are good to click or not.
D
#1291 posted by
czg on 2009/06/23 23:54:48
<a href="javascript:var%20v=document.forms[0];v.title.value='I%20AM%20A%20FAGGOT!';v.body.value='HUMP%20MY%20RUMP!';submitpost(v);">Click for a good time!</a>
Ankh!
#1295 posted by bamby on 2009/06/24 00:00:23
Didn't know you were too..
I AM A FAGGOT!
#1296 posted by anonymous user on 2009/06/24 00:01:15
HUMP MY RUMP!
I AM A FAGGOT!
#1297 posted by anonymous user on 2009/06/24 00:01:33
HUMP MY RUMP!
Well...
#1298 posted by
metlslime on 2009/06/24 00:03:04
I think all issues can be addressed.
First, the misleading URL demonstrated by spirit can be mitigated by making raw URLs look different that anchor tags, using color or other formatting.
Second, the http-based XSS attack spirit showed can be fixed by making the logout button require POST instead of GET.
Third, the javascript-based XSS attacks as demonstrated by czg can be prevented by being stricter about the URL (i.e. requiring http:/ftp: at the beginning)
Also...
#1301 posted by
metlslime on 2009/06/24 00:04:34
i might consider allowing anchor tags only in discussion/news threads, and not in posts. This means our news can look nicer, and anything malicious is easily moderated (since threads are few compared to posts.)
Lol, Great Link
#1302 posted by
negke on 2009/06/24 00:08:56
Ricky: "sweet deadly white stick" up your rump
oh god I am a gullible idiot.
:)
#1308 posted by
mwh on 2009/06/24 05:16:14
Input validation is a thicket of all sorts of horrors.
Oh No...
#1310 posted by
JPL on 2009/06/24 07:52:05
Damn, what is this shit !!?? czg: you are the most stupid of us, you damn bastard ! I hate you !