Quite huge XSS flaw [serious]

  1. 5 years ago

    I created a conversation with the title "<script>alert()</script>" and body "<script>alert()</script>". I can't believe that it actually worked and toby did not use htmlentities.. So I used a test esoTalk site and made my name "<script></script>", I then got an error at the top. I looked around and pasted "<script>alert()</script>" in the signatures part of the about me section (not esotalk site but vibiz.net ) and it also gave the popup... Not only this but when I posted a message with my "<script>alert()</script>" signature, it actually gives a popup EVERYTIME someone clicks the thread that I posted on (quite troll but).. Fix?

    It's been fixed ages ago.

    https://github.com/esotalk/esoTalk/issues/122

    The owner of the website provided by you is solely responsible for keeping his website updated.

    Also, the signature part you're referring to is a third-party plugin.

  2. This flaw can do serious harm to a website btw @Toby

  3. Wow! You should post on Github issues...

  4. Edited 5 years ago by Garfield

    It's been fixed ages ago.

    https://github.com/esotalk/esoTalk/issues/122

    The owner of the website provided by you is solely responsible for keeping his website updated.

    Also, the signature part you're referring to is a third-party plugin.

  5. @Garfield It's been fixed ages ago.

    https://github.com/esotalk/esoTalk/issues/122

    The owner of the website provided by you is solely responsible for keeping his website updated.

    Also, the signature part you're referring to is a third-party plugin.

    Oh ok, thanks for this!

  6. Deleted 5 years ago by Toby
 

or Sign Up to reply!