BUG WATCH! - If you see a bug report it here!

[Melooon]

the welcome email it's suggested to write a greeting, but the link leads to a board where no

Thanks for the report! This is so weird, I've fixed this bug at least 3 times and somehow that link never goes away, it must be in some other file somewhere

[Dan Q]

I'm moderately confident there's an XSS vulnerability in the code that puts a message in the shoutbox when somebody creates a new thread.

When you create a new thread, the title of that thread gets posted (in a link) to the shoutbox, e.g. "Dan Q created [linked title of post]".

But that title doesn't get escaped, so any HTML code in the post title gets injected directly into the page, via the shoutbox. I haven't tested it, but a Melonlander could (deliberately or accidentally) cause a problem here. Suppose I created a thread with the subject "<script>alert('hi');</script> not working on my site", then I imagine the actual HTML code <script>alert('hi');</script> would get injected into the shoutbox!

We're a closed community, so we're probably moderately-safe (or else I wouldn't announce this in a public thread!), but it's probably still worth fixing! All that's needed is to run the titles through an escape_html(...) -like function before shoutboxing them.

I discovered this by accident when I posted this thread, which has HTML-like code in the subject.

Update: yup, verified by this thread, with which I was able to inject an image into the shoutbox. The limitation on the lengths of subject strings would make an "attack" difficult, but definitely not impossible! See attached screenshot.