Results 1 to 3 of 3
Thread: XSS attack?
-
2019-01-25, 12:38 PM (ISO 8601)
- Join Date
- Jan 2019
XSS attack?
Preview post brings me to my browser warning about an XSS attack btw. so I haven't managed to preview to ensure html is properly escaped.
[QUOTE]Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers and credit cards).
Try visiting the site's homepage.
ERR_BLOCKED_BY_XSS_AUDITOR[QUOTE]
The message I initally tried to post:
Hi,
Sorry if this is in the wrong place, but would you mind considering posting a link to the comic in question in the discussion threads? It looks to me like the discussion thread is created via a script of some nature.
So for the "New comic is up." it would be great if it was:
Code:<a href="{comic_url}"> New comic is up. </a>
Code:New comic is up. <a href="{comic_url}"> 1153 Family Meeting </a>
It appears to be the url of the comic that is causing problems.Last edited by Athas; 2019-01-25 at 12:43 PM.
-
2019-01-28, 12:02 PM (ISO 8601)
- Join Date
- Jan 2004
- Location
- Bensalem, PA
- Gender
Re: XSS attack?
Playing with it a little bit, it looks like if you change the HTML that's within your CODE tags to use actual BB Code tags instead (in this case, [URL] tags), it'll work correctly.
For example:
Code:New comic is up.
Code:[url=http://www.giantitp.com/comics/oots1153.html]New comic is up.[/url]
John Ling
Frog God Games Lead Pathfinder Developer
Note: unless explicitly stated otherwise, opinions in my posts are my own and not those of Frog God Games.
-
2019-01-29, 05:06 AM (ISO 8601)
- Join Date
- Aug 2018
- Gender
Re: XSS attack?
The HTML tags don't actually allow you to use HTML - HTML is disabled on this board, but the HTML tag is an artefact of the board design.
Presumably, the warning of an XSS attack comes from the way the preview remembers the HTML you've put into the tag and Chrome jumps at shadows detecting HTML that isn't meant to be there.