 Hello, I have geeky users and they're having fun trying to inject script into profile fields.... ;) Today, I've learned that if an user put something similar to this <script>alert("XSS is fun!");</script>
into one of its profile fields, an alert is prompted (pop-up) whenever someone tries to see the profile of this user... Is this something that could be easily fixed? |
Can you provide more information? What field is affected? Just tried on demo.boonex.com, and I can't reproduce it. BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
It was the "Last Name" field
The user typed exactly Lastname<script>alert("XSS is fun!");</script>
|
Update: Yep, seems it can be snuck in to the description field with the browser tools. I'll update and escalate the ticket I made: http://www.boonex.com/trac/dolphin/ticket/3529 BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
Kinda disappointed with myself for not finding this.. BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
