Nonsense HTML tags allow blank posts

Hello there,

I recently found a bug with Discourse which allows the character limit to be bypassed.

For example, if the character limit is 30 characters, you could put a 30 character HTML tag such as

<thisisanonsensehtmltaglongerthanthirtycharacters>

In a post’s body, which would hide the tag and create a post with no visible body, or a body which is truncated.

I suppose that we use a check which only allows for real html tags to be used. Providing an error if it’s invalid.

I’m not too sure if this is known although upon some searching I couldn’t find a similar topic.

The first reply to this topic is an example blank post.

Read:

5 Likes

Alright you can close then.

My apologies!

3 Likes