Nonsense HTML tags allow blank posts

crcoli7307 · December 18, 2022, 5:26am

Hello there,

I recently found a bug with Discourse which allows the character limit to be bypassed.

For example, if the character limit is 30 characters, you could put a 30 character HTML tag such as

<thisisanonsensehtmltaglongerthanthirtycharacters>

In a post’s body, which would hide the tag and create a post with no visible body, or a body which is truncated.

I suppose that we use a check which only allows for real html tags to be used. Providing an error if it’s invalid.

I’m not too sure if this is known although upon some searching I couldn’t find a similar topic.

The first reply to this topic is an example blank post.

darkpixlz · December 18, 2022, 5:30am

Read:

crcoli7307 · December 18, 2022, 5:31am

Alright you can close then.

My apologies!

Topic		Replies	Views
HTML Tag bypassing UX	3	478	October 23, 2022
Bug? You can avoid the character restriction Feature	5	1370	January 1, 2015
Avoiding the 20 characters Support	5	870	April 22, 2021
Can fake HTML to bypass character limits be patched? Support	2	651	December 3, 2022
Bypassing character minimum on posts via HTML UX	2	1503	March 29, 2019