MyBB Community Forums

Exactly. We should properly document it somewhere. Laziness can be costly...

It actually doesn't, HTML gets parsed out before the MyCode is parsed (class_parser.php ln 133-147 and 177) making the output this:

<i class="fa fa-exclamation-triangle"&gt;&lt;script&gt;alert("Evil code goes here...");&lt;/script&gt;&lt;i class="fa fa-exclamation-triangle"></i>

That said, plugins that use the parse_message_end hook and a (.*?) can result in problems.

Oh, thanks for that. Nevertheless the following should work

[icon]exclamation-triangle" onload="alert('Evil code goes here...');[/icon]

which would produce:

<i class="fa fa-exclamation-triangle" onload="alert('Evil code goes here...');"></i>

Nope.

<i class="fa fa-exclamation-triangle" o<strong></strong>nload="alert('Evil code goes here...');"></i>

Oh O.O? IIRC the MyCode system was vulnerable to that kind of attach since long before 1.8 was on the makings..

Lets see if I can break this down..

I can't get on PC to look through code currently. But something seems to kind-of escape it

EDIT: a MyCode vuln was fixed in 1.6.15. Maybe this?

Try:

[icon]" style="background: red; width: 1000%; height: 1000%; color: green !important;font-size:100% !important;position:absolute;top:0;left:0;float:left;">Hellow World!<[/icon]

Good enough the editor will stand out, unless you put z-index in there

The following will only work in the ACP sandbox:

[icon]"><script>
alert("Hellow World!");
</script><[/icon]

Most MyCodes are sensible to this kind of "attacks".

@nth No sure THB

https://github.com/mybb/mybb/blob/e74ffe...r.php#L601 class_parser.php has a function to strip most (well, probably all) javascript thingies.

Users can still insert pretty much any HTML there. I'm too tired to check if that is still possible though, so don't take me for granted.

Ah yeah, html works. Will look into it tomorrow though.