NEW EDITOR OMGOMG
-
Challenge: Do that with the editor...
-
@boxmein (View Post)
the editor options are at the bottom of the typing box...but you have to have that checkbox checked.
@CAC-Boomerang (View Post)
I bet nobody does it! -
But that would leave those who do not know HTML clueless, the formatting options are there to make it both quicker and easier to write posts with simple formatting. After all, the editor allows you to edit raw HTML anyway
-
-
You were careful about XSS, weren't you?
EDIT:
Try this, quote me and mouse over my text. Does this only work for me?
EDIT2:
Confirmed, XSS vulnerability here. Easy fix : Sanitize all the HTML before saving it as post.
More evil try
Well, cookies
Don't worry, I did not use any real evil scripts.
-
I mean really, please fix it. The forums are no more safe from XSS
-
Any HTML that can execute scripts has been stripped on the forum for ages, when you make a post, 2 copies are stored - a verbatim originl and a safe version that is displayed for other users; The verbatim copy is used when quoting and editing, it seems TinyMCE doesn't strip out Javascript. I've modified the software to use the safe copy when quoting another user (but not yourself), unfortunately, this has the adverse effect of being unable to quite inline saves and youtube videos.
Foolish on my part to assume TinyMCE would actually ignore Javascript.
