MyBB Community Forums

Hello,

I just had a member signing up and purposely trying to manipulate the forum to a certain extent. I was happy to know he admitted not being able to retrieve user details, so well done MyBB for that!

But... he did insert a javascript in one of his profile fields which everytime you visited his profile, it would come up with a popup message.

Anyway of disabling HTML across all profile fields?

It should be disabled by default. I remember someone asking how to enable it and it required some code change, if I remember correctly.

Which profile field did he use exactly? Any plugins on your board?

No it's a custom profile field.

And what's the type of this field? textbox, textarea, something else?

textarea, but also I tried with textbox and it did the same thing also.

textarea/textbox seems to be htmlspecialchar'd properly, though, so it should not be possible to inject html/javascript through them.

Are you using MyBB 1.6.8? Unmodified member.php? No plugins?

Can you show contents of your mybb_profilefields table as well as the row of the mybb_userfields table which belongs to the affected user (ufid=uid)?

Can I give you cpanel logins in PM?

And yes, it's 1.6.8

mysterious... sure, pm me