this post was submitted on 07 Jul 2023
0 points (NaN% liked)

Test Magazine

1 readers
3 users here now

founded 1 year ago
MODERATORS
[email protected]
0
HTML injection test (kbin.melroy.org)
submitted 1 year ago by [email protected] to c/[email protected]
4 comments fedilink hide all child comments
 

<button onclick="myFunction()">Try it</button>

<script> function myFunction() { alert("I am an alert box!"); } </script>

top 4 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 1 year ago (1 children)

Looks like you've passed your own test!

[–] [email protected] 0 points 1 year ago (1 children)

@Teppic I think I did..

[–] [email protected] 1 points 1 year ago (1 children)

I'm thinking that Kobrah who downvoted the post didn't understand what you were checking, or how innocuous the code you used as a test would have if kbin hadn't correctly trapped it...

[–] [email protected] 1 points 1 year ago

@Teppic Yea, so for the folks who are thinking what is going on. I was checking whether Kbin is correctly escaping HTML/JS code from the body content when posting a thread or post. If this code create a button on your kbin instance with a pop-up alert, you should really upgrade your kbin instance indeed. As you stated correctly, this is very innocent code can't do any harm. However, if you are very handy you could do all kind of HTML or JS injection into this site. Without people / users even noticing.