[Exploit/Bug] Execute javascript

Question

[Exploit/Bug] Execute javascript

Closed this issue 3 years ago · 4 comments

On your profile, you can execute JavaScript when somebody clicks one of your social links. if you added a social link with any name and have the URL be "javascript:{yourjscodehere]" then that JS will execute when somebody clicks on that link. Luckily, this javascript will not execute on the forum but rather a new page and because no page was specified, most browsers will execute it in about:blank.

Answer 1 · 2020-03-30T17:55:49.000Z

Thanks for the report! We will investigate and prepare a fix.

I would have expected the url validation rule to prevent that, but I suppose that's actually not the case.

Answer 2 · 2021-03-19T00:43:58.000Z

Hi there 👋 not sure which version this was fixed in, but the url validation rule is working again

Please let us know if the issue persists for you on the latest version @UntrustableRus and feel free to create a new issue if it does.

Answer 3 · 2021-03-19T11:01:55.000Z

Reopening because the wrong code was tested (<script> tag instead of javascript:... url).

Answer 4 · 2021-03-19T13:44:29.000Z

Looks like it has been fixed at some point. The URL validation prevents it from being saved with javascript:.