Start a new topic

Improperly forbidden words break the website

Presumably due an overzealous attempt to prevent script injection, it is not possible to leave a comment or make a post or save a draft containing the string "javascript:document=".

This string is minimal in that removing any character will allow it to be posted, but it's far from exact: you can put almost anything between the "javascript:" and the "document" and the "=" it will still fail. that is, "javascriptfoo:document=" is allowed, but "javascript:documentfoo=" is disallowed. 

The order is important: "document=javascript:" is allowed.

Some insertions between the first two elements are also allowed, but not others: "javascript:"foo"document=" breaks, but "javascript:foodocument=" does not. you can put a bunch of newlines and other stuff in there too and still have it break.

The failure itself is extremely user-unfriendly in all cases. In comments, it looks like the attached screenshot. You have to click the mysterious OK button before you can edit the comment.

When posting or trying to save a draft, the button just silently does nothing, and also breaks: you can no longer switch between Post and Save Draft, nor can you edit the text or add tags.

Login or Signup to post a comment