iframes can be injected into an expanded quote.
<iframe src=“https://meta.discourse.org”>
Originally noticed here.
iframes can be injected into an expanded quote.
<iframe src=“https://meta.discourse.org”>
Originally noticed here.
Expand this quote to see an iframe.
This topic is now unlisted. It will no longer be displayed in any topic lists. The only way to access this topic is via direct link.
That’s a really good finding @boomzilla. Fixing it!
XSS?
That’s an awesome find.
Interesting enough, I couldn’t double escape the cooked version of the post otherwise jQuery wasn’t able to parse it properly… So I had to only slightly double escape it.
https://github.com/discourse/discourse/commit/9b29a23ecee5957974bc5504d0759984fae03043
Yeah I think there is potential to exploit, but not a clear XSS cause the iframe is in a sandbox.
It’s nitpicking though, I say award the XSS badge.
Installed and confirmed patched on ours.