Nonsense HTML tags allow blank posts

crcoli7307 · December 18, 2022, 5:26am

Hello there,

I recently found a bug with Discourse which allows the character limit to be bypassed.

For example, if the character limit is 30 characters, you could put a 30 character HTML tag such as

<thisisanonsensehtmltaglongerthanthirtycharacters>

In a post’s body, which would hide the tag and create a post with no visible body, or a body which is truncated.

I suppose that we use a check which only allows for real html tags to be used. Providing an error if it’s invalid.

I’m not too sure if this is known although upon some searching I couldn’t find a similar topic.

The first reply to this topic is an example blank post.

darkpixlz · December 18, 2022, 5:30am

Read:

crcoli7307 · December 18, 2022, 5:31am

Alright you can close then.

My apologies!

Topic		Replies	Views
HTML Tag bypassing ux	3	419	October 23, 2022
Bug? You can avoid the character restriction feature	5	1315	January 1, 2015
Avoiding the 20 characters support	5	766	April 22, 2021
Can fake HTML to bypass character limits be patched? support	2	544	December 3, 2022
Bypassing character minimum on posts via HTML ux	2	1341	March 29, 2019