FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » FUDforum 3.0+ » Javascript gets executed if importet with NNTP
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
Javascript gets executed if importet with NNTP [message #168033] Sun, 23 December 2012 04:41 Go to next message
Fladi is currently offline  Fladi   
Messages: 19
Registered: April 2011
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
Hi all!

We have a problem and I'm not sure if it is a bug or I just configured something wrong.

We import messages with NNTP. Now, when I post a message on the NNTP site which has some Javascript code in it

<script type="text/javascript">alert('Hello World');</script>


the message is imported into FUDforum. The code gets executed when a user opens the topic with this message. I think this should not work as it opens an easy way to XSS.
It doesn't make a diffent which settings are set for the forum (Tag-Style is set to none for the user).

Did I do something wrong or can you confirm this?

Best regards and a merry christmas Wink

Tim


Aw: Javascript gets executed if importet with NNTP [message #168034 is a reply to message #168033] Sun, 23 December 2012 09:54 Go to previous message
Fladi is currently offline  Fladi   
Messages: 19
Registered: April 2011
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
For a quick fix I inserted a new filter in the "Replacement & Censorship" which searches for ">" and replaces it with "&gt;" But this has some other issues when creating messages it gets converted as well so the user sees &gt; in the preview/forum message.
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: NNTP suggestions
Next Topic: SQL Error
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Mon Oct 23 09:35:27 EDT 2017

Total time taken to generate the page: 0.00536 seconds