Comment Baking Concern


Experimenting on TDWTF has shown that insufficient sanitization is being performed on user posts. This allows users to disguise potentially malicious input as standard components of the Discourse UI. For example:

google.txt (17 KBytes)


The above look like a harmless attachment and mention, but they are really redirects to Google and Bing respectively. Such unsanitized input could be modified to point to potentially harmful sites, causing unwary users to be redirected without warning.

So far nothing more dangerous has been found, but this is still a vulnerability. I suggest the following:

  1. Any classes which are baked into elements by discourse - to indicate things such as mentions, attachments, etc - should not be permitted in user-generated raw.
  2. Sanitization should occur as the first step of baking a post.

(Steven J, WTDWTF) #2

The obvious conclusion of this:

@rickroll agrees with this message

(Gerhard Schlager) #3

(17 KBytes)

Nearly the same can be done with images. (Well, ImageMagick strikes again and “optimizes” the hell out of those small images. Why?)
Anyway, I wouldn’t call any of this a bug. Just my 2 cents…

(Steven J, WTDWTF) #4

Bitten by the grayscale bug :stuck_out_tongue:

(NomNuggetNom ) #5

This is my gripe with lack of information on hover. You can’t fool me into clicking an image that looks like a link if the link color changes when I hover.

(Steven J, WTDWTF) #6


I almost wonder if they should both fix the baking issues and do something similar to oneboxed images to any user-inputted images - in other words, add the little hover-over title popup thing


Yeah, bug was just the best fit out of the available categories.


Any progress on this? @GoogleBot is curious.

(Kane York) #9
  • This is not
  • a poll
  • However
  • It takes considerable effort to create
  • Ultimately, it's still in the post, and it's not really harming much.


Or maybe it is a poll.

<div class="poll" data-poll-status="open" data-poll-name="poll"><div><div class="poll-container"><ul><li data-poll-option-id="4c96bbc0e2390918dd50ef8e7eaff6e2">This is not</li><li data-poll-option-id="d1a2852882e80a177a99b9296381500a">a poll</li><li data-poll-option-id="d1a2852882e80a177a99b9296381500b">However</li><li data-poll-option-id="d1a2852882e80a177a99b9296381500c">It takes considerable effort to create</li><li data-poll-option-id="d1a2852882e80a177a99b9296381500d">Ultimately, it's still in the post, and it's not really harming much.</li></ul></div><div class="poll-info"><p><span class="info-number">0</span><span class="info-text">voters</span></p></div></div><div class="poll-buttons"><a class="button toggle-results" title="Don't Display the poll results">Don't show results</a></div></div>


The psuedo-mentions and psuedo-attachments don’t take a lot of effort to craft, and they could be crafted to send the unwary users (or mobile users) to unsafe sites. At least with standard links, you know they are links. These look like Discourse specific features and this could prove a weak point.

(Kane York) #11

It also appears that nobody can vote in the poll anymore, as I set data-poll-status to garbage.

(Jeff Atwood) #12

I agree with @gerhard.

This topic is now closed. New replies are no longer allowed.