Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[F] Custom Profile fields - possible XSS?

I am using MyBB 1.4.4 and have one custom profile textfield users are required to fill in.
It seems it isn't properly escaped/checked when viewing threads.

For example when I specify something like "<script>alert("foo")</script>" it's getting executed by the javascript interpreter when viewing the post - I get an alertbox displaying "foo".
When viewing the profile itself the box isn't displayed though.

Is this a bug or do I have to validate the field myself?

Messages In This Thread
[F] Custom Profile fields - possible XSS? - by Suhosin - 2009-04-04, 11:26 AM

Forum Jump:

Users browsing this thread: 1 Guest(s)