Bug-report follow-up
ovejo (@ovejo) · 1 replies ·And a perhaps more important follow up, it seems that forum postings isn't properly html-sanitized, look at the rendering I got when I posted the message, picture attached.
If html and more specifically javascript can be included in user input that gets displayed on the site there could be a security issue as other users accounts easily could be hijacked by embedding some js and stealing session-cookies.
Please verify that html/js is santized and don't display this forum post to the larger public until you've had time to check it out.
Also, there are some http-headers related to security that can be useful to enable as they can mitigate some issues of this type, ie content security policy, transport security, cross site scripting, cookie options ....
If html and more specifically javascript can be included in user input that gets displayed on the site there could be a security issue as other users accounts easily could be hijacked by embedding some js and stealing session-cookies.
Please verify that html/js is santized and don't display this forum post to the larger public until you've had time to check it out.
Also, there are some http-headers related to security that can be useful to enable as they can mitigate some issues of this type, ie content security policy, transport security, cross site scripting, cookie options ....
1 attachment:
{{cnum}} replies
Advertisement
Premium Membership required
Our goal is to make this community less toxic but we also do understand that asking for an ID is not the way to go. Using the site is perfectly legal. Discussing things in a civilized manner is also legal. So if you really want to say something important, be serious by becoming a Premium Member first. Thank you for your understanding.
See Premium Membership options