Conversation

Notices

1. MMN-o ✅⃠ (mmn@social.umeahackerspace.se)'s status on Sunday, 15-Feb-2015 13:22:04 UTC MMN-o ✅⃠

   • hiker
   I wonder if this does it. I'm not very good at #XSS examples :)
   • MMN-o ✅⃠ (mmn@social.umeahackerspace.se)'s status on Sunday, 15-Feb-2015 13:08:33 UTC MMN-o ✅⃠

     • hiker
     @hiker Oh, that's really weird. Saw on your site now. Those fields should be escaped properly.
   • MMN-o ✅⃠ (mmn@social.umeahackerspace.se)'s status on Sunday, 15-Feb-2015 13:17:33 UTC MMN-o ✅⃠

     • hiker
     • gnusocial
     Uhm. !gnusocial - the #Textile plugin has this code:
     $tmp = str_replace('"','"',$notice->rendered);
     
     I would not trust the #Textile plugin to be safe from #XSS attacks. I guess I could change my fullname to something like: Mikael " onclick="javascript:alert('butt');" title="pwn
   • MMN-o ✅⃠ (mmn@social.umeahackerspace.se)'s status on Sunday, 15-Feb-2015 13:24:39 UTC MMN-o ✅⃠

     in reply to

     • hiker
     Oh I might have to signal it like @mmn @hiker
   • MMN-o ✅⃠ (mmn@social.umeahackerspace.se)'s status on Sunday, 15-Feb-2015 13:29:25 UTC MMN-o ✅⃠

     in reply to

     • sn
     • gnusocial
     • snbug
     @hiker click my name here: @mmn and then hurry off to disable the #Textile plugin until @bavatar@sn.diekershoff.de patches it.
     !gnusocial !sn !snbug etc. to anyone who runs the thirdparty #Textile plugin.
   • MMN-o ✅⃠ (mmn@social.umeahackerspace.se)'s status on Sunday, 15-Feb-2015 13:30:29 UTC MMN-o ✅⃠

     in reply to
     ^- @tobias@f.diekershoff.de if that's where you're listening for notices. It's an XSS security issue in the #Textile plugin.