[Exploit/Bug] Execute javascript
Closed this issue · 4 comments
On your profile, you can execute JavaScript when somebody clicks one of your social links. if you added a social link with any name and have the URL be "javascript:{yourjscodehere]" then that JS will execute when somebody clicks on that link. Luckily, this javascript will not execute on the forum but rather a new page and because no page was specified, most browsers will execute it in about:blank.
Thanks for the report! We will investigate and prepare a fix.
I would have expected the url
validation rule to prevent that, but I suppose that's actually not the case.
Reopening because the wrong code was tested (<script>
tag instead of javascript:...
url).
Looks like it has been fixed at some point. The URL validation prevents it from being saved with javascript:
.