Passive XSS?

[.Master]

Messenger.
Message Title:

">[xss_code]

And Preview message :) .

For me in ipb 2.1.7 works. What will advise? Only it is not necessary to speak pass to 2.2 version ;)

[ErwinB]

I can confirm. But it only works with MPs, so you have to be a registered user to try to get it work. But yes, it's true.

You should report it to the Bug Tracker ;)

[bfarber]

It only works for YOU. Why would you XSS yourself? :rolleyes:

When previewing the message, it's just taking what you submitted and putting it back in the form. When you actually SUBMIT the message, it is cleaned.

If you want to XSS yourself, have fun - but it certainly won't cause any harm to the forum, the site, or any of the members of the site.

[ErwinB]

Yep, but it's still a little bug ;)

[bfarber]

I guess it depends upon how loose your definition is of a bug......

[Mark]

I suppose the preview is not a preview of what is actually being sent, so that is a bug.
Surely everything that will be done to the message should be done to the message in the preview? Otherwise it's not a preview of what's being sent, it's just what you typed displayed in a blue box instead of a white one.

[bfarber]

*sighs*

It is taking EXACTLY (without ANY conversions) what submitted the first time and putting it back in the form fields - has nothing to do with the preview. What is previewed IS actually run through the cleaner.

Type in PM
Hit preview button
Previewed text is run through parser and displayed
What you submitted is then put back in the form fields - we can't take the converted content and put in the form field (that would break what you submitted) so we take what you originally submitted

You can submit it as a bug if you really feel so inclined, but I'll tell you - it's not high up on the priority scale. ;)

[ErwinB]

But it's still a bug as it's not working properly...

[princetontiger]

But there are plenty of other problems to resolve. I agree with bfarber.