BUG WATCH! - If you see a bug report it here!

[Melooon]

the welcome email it's suggested to write a greeting, but the link leads to a board where no

Thanks for the report! This is so weird, I've fixed this bug at least 3 times and somehow that link never goes away, it must be in some other file somewhere

[Dan Q]

I'm moderately confident there's an XSS vulnerability in the code that puts a message in the shoutbox when somebody creates a new thread.

When you create a new thread, the title of that thread gets posted (in a link) to the shoutbox, e.g. "Dan Q created [linked title of post]".

But that title doesn't get escaped, so any HTML code in the post title gets injected directly into the page, via the shoutbox. I haven't tested it, but a Melonlander could (deliberately or accidentally) cause a problem here. Suppose I created a thread with the subject "<script>alert('hi');</script> not working on my site", then I imagine the actual HTML code <script>alert('hi');</script> would get injected into the shoutbox!

We're a closed community, so we're probably moderately-safe (or else I wouldn't announce this in a public thread!), but it's probably still worth fixing! All that's needed is to run the titles through an escape_html(...) -like function before shoutboxing them.

I discovered this by accident when I posted this thread, which has HTML-like code in the subject.

Update: yup, verified by this thread, with which I was able to inject an image into the shoutbox. The limitation on the lengths of subject strings would make an "attack" difficult, but definitely not impossible! See attached screenshot.

[pepper]

This is a very odd issue but whenever I leave the forum page open in a tab and I restart my browser I get pinged notifications for alerts I have already seen and viewed.

This'll be because new alerts get picked up by each tab, but alerts that you click on only trigger an event in the current tab. And your browser is caching the DOM. I guess.
...
Refreshing the page should make them go away (because you've already viewed them).
...

This happens to me frequently, and reloading the page doesn't seem to make it go away completely? I have been getting the same notifications popping up on my OS toasts since Wednesday, across two different PCs/ browsers, even though I do not have any alerts showing on the forum.

Both PCs are Linux Mint, both are up-to-date Firefox. I am having difficulty recreating the problem reliably, but I have been for instance getting notifications about the Wednesday Website guild off and on since Wednesday. Even if I close my browser, then later re-open it, I will sometimes (but not always?) get the same notifications.

For the time being I think I will need to just disable notifications for the forum, which is a shame as I like knowing when threads I'm interested in have activity, I don't like to clutter my email inbox, and I have yet to set up an RSS client. (Maybe I should just set up an RSS client already, but still, this bug ... bugs me ...)

[boreal_cryptid]

mobile version of the forum doesn't hide/spoiler users from ignore list :(

[Melooon]

Both PCs are Linux Mint, both are up-to-date Firefox. I am having difficulty recreating the problem reliably

I have noticed this too, almost every time I open the forum on a computer I've not used in a while it will spam all the past notifications since I last used it, even for things I've already viewed on other computers. I don't really know much about how browser notifications work, so I have no idea why that happens! I guess its possible that push notifications are always running in the background, so the browser stacks up notifications quietly, maybe there is some command that should be sent to clear them. If anyone has experience lemmy know, otherwise it'll need some research!

hide/spoiler users from ignore list :(

It could be a chicken and egg situation; but less than 1% of forum members have ever used the ignore feature, so this is prob not a part of the site that's gonna get much time dedicated to it, but I will add it to the list!

[Melooon]

moderately confident there's an XSS

across two different PCs/ browsers, even though I do not have any alerts showing on the forum.

Both these should be fixed now. Alerts are prob still weird, but I'm 99% sure you will only get alerts in one tab now, and I'm 50% sure you wont get alerts showing up across multiple computers/browsers unless both are awake and on the forum at the moment you get an alert. (however its also possible I just broke notifications completely)

Dan your XSS attack path should now be fixed, hope you made some good use of it while you could

[Dan Q]

Dan your XSS attack path should now be fixed, hope you made some good use of it while you could

Ah, give me a few weeks; I'm sure I'll stumble upon another!