JS injection using BBcode.

Hi everyone. I would like to prevent you that there are some security issues allowing users to use BBCode extension. In fact, the problem is that the string is not correctly parsed when inserting images (and links), which may allows someone to add some javascript actions, flash or wathever he wants. Here is a trivial exemple of what could be done: [img]http://www.somewebsite.com/image.png" onload="javascript:alert('hello world')[/img] This will show the image and display a pop-up saying 'hello world', nothing dangerous, but it could be really a big hole, allowing users to steal passwords of the others. My suggestion, for the moment, is to disable this extension while a better parsing is founded. Cheers, gizmo

Minisweeper

Crikey, Can you add this to the bug report as high importance? Perhaps whoever wrote the latest bbcode extension should be encouaged to update it.

Mark

Wow. Nice find.

graste

There are other js injection possibilities. See the provided link - I don't know if it belongs to vanilla, but want to share it (as I thought about js in css weeks ago) as an information resource: http://javascript.weblogsinc.com/entry/1234000770064356/

Mark

Wow. thanks for the link.