Conversation:
Notices
-
@hiker Haha, whut. Where?
-
@hiker Oh, that's really weird. Saw on your site now. Those fields should be escaped properly.
-
Uhm. !gnusocial - the #Textile plugin has this code:
$tmp = str_replace('"','"',$notice->rendered);
I would not trust the #Textile plugin to be safe from #XSS attacks. I guess I could change my fullname to something like: Mikael " onclick="javascript:alert('butt');" title="pwn
-
I wonder if this does it. I'm not very good at #XSS examples :)
-
Oh I might have to signal it like @mmn @hiker
-
@hiker click my name here: @mmn and then hurry off to disable the #Textile plugin until @bavatar@sn.diekershoff.de patches it.
!gnusocial !sn !snbug etc. to anyone who runs the thirdparty #Textile plugin.
-
^- @tobias@f.diekershoff.de if that's where you're listening for notices. It's an XSS security issue in the #Textile plugin.
-
@hiker Yes because that's how it is saved in the database. But you won't get any new such notices (as GNU social filters the html and escapes stuff propetly - what Textile does is bypassing that instead of adapting it)