Furry stuff, oekaki stuff, and other stuff.
You are not logged in.
Hi,
I just wanted to let all of you know that there is a small thing in the profiles that alows XSS...
You can just paste html in your profile. So if you would add a image tag, with the url to a cookie stealer and give the image a style so it cant be seen, in your website field... Well I dont think I have to explain what you can do next when you have te admins cookie.
I found it in Version 1.2.5 - Last modified 12/11/2005 and dont know if this is already fixed in the new versions.
You can fix this really easy by using htmlspecialchars( string , ENT_QUOTES); to strip the html code.
Greez J.
Offline