Switch Theme:

Bug with <h1> html tag type subjects in </h1> the main forum view  [RSS] Share on facebook Share on Twitter Submit to Reddit
»
Author Message
    Subject: Advert
[Up]
Advert


Forum adverts like this one are shown to any user who is not logged in. Join us by filling out a tiny 3 field form and you will get your own, free, dakka user account which gives a good range of benefits to you:
  • No adverts like this in the forums anymore.
  • Times and dates in your local timezone.
  • Full tracking of what you have read so you can skip to your first unread post, easily see what has changed since you last logged in, and easily see what is new at a glance.
  • Email notifications for threads you want to watch closely.
  • Being a part of the oldest wargaming community on the net.
If you are already a member then feel free to login now.




[Post New] 2013/02/01 18:32:24
    Subject: Bug with <h1> html tag type subjects in </h1> the main forum view
[Up]
Made in us
Kid_Kyoto






Probably work

So, when you look at the main Dakkadakka forum view at http://www.dakkadakka.com/dakkaforum/forums/list.page, the subjects of the top threads in each subforum show up toward the right, right? Well, if they're encapsulated in < and >, then they don't show. I fear that they're actually getting resolved as html, which could lead to some abusive situations. I've created this subject in hopes that it will better illustrate the issue.

This is the thread that I noticed this from. Bump it and check the main forum page to see what I'm talking about: http://www.dakkadakka.com/dakkaforum/posts/list/504533.page


Automatically Appended Next Post:
Yeah, that's what I was afraid of. You might want to delete this topic to minimize the amount of abuse from this becoming public until you can get it fixed.

This message was edited 2 times. Last update was at 2013/02/01 18:34:06

Assume all my mathhammer comes from here: https://github.com/daed/mathhammer 
   
[Post New] 2013/02/01 18:51:00
    Subject: Bug with <h1> html tag type subjects in </h1> the main forum view
[Up]
Made in nl
Wight Lord with the Sword of Kings






North of your position

Owh lawd.
This is a really bad bug indeed.
Steam
 
   
[Post New] 2013/02/01 18:55:44
    Subject: Bug with <h1> html tag type subjects in </h1> the main forum view
[Up]
Made in us
Old Sourpuss






Lakewood, Ohio

And yours shows up as a header size 1 because of the tags... interesting...
DR:80+S++G+M+B+I+Pwmhd11#++D++A++++/sWD-R++++T(S)DM+

Ask me about Brushfire or Endless: Fantasy Tactics 
   
[Post New] 2013/02/01 19:03:03
    Subject: Bug with <h1> html tag type subjects in </h1> the main forum view
[Up]
Made in nl
Wight Lord with the Sword of Kings






North of your position

It is indeed..
Steam
 
   
[Post New] 2013/02/01 19:19:08
    Subject: Bug with <h1> html tag type subjects in </h1> the main forum view
[Up]
Made in us
Old Sourpuss






Lakewood, Ohio

I want to use this now... but we all know it would be abuse
DR:80+S++G+M+B+I+Pwmhd11#++D++A++++/sWD-R++++T(S)DM+

Ask me about Brushfire or Endless: Fantasy Tactics 
   
[Post New] 2013/02/01 20:02:03
    Subject: Bug with <h1> html tag type subjects in </h1> the main forum view
[Up]
Made in gb
[ADMIN]
Decrepit Dakkanaut






London, UK

Thanks for the info, bug has been rapidly squashed. If anyone ever comes across anything similar, please do let me know ASAP. There is no significant risk to anyones accounts from things like this as I am rather overzealous on security, but it would lead to formatting annoyances and general mischief if left unchecked.

Amusingly the forum names were being escaped correctly but the user entered info was not! More often than not I screw up by escaping too many times. This bug was a legacy bug from the base software that I had foolishly presumed safe.

Most other places with limited escaping use tag whitelists, to prevent script injection and similar abuses from happening. If you do come across any then be sure to let me know
Check out our new, fully plastic tabletop wargame - Maelstrom's Edge, made by Dakka!
 
   
 
Forum Index » Nuts & Bolts
Go to: