The use of "non" URLs on the ToS page

I have found a potentially concerning issue with the Terms Of Service Page on all discourse installs (including

The ToS section 7. Content Posted on Other Websites contains links to non-currentdomain.tld These links are clickable because they are parsed just like any other post.

This allows for domain-squatting unregistered non-currentdomain.tld in some cases. A good example of this is

As a proof of point, I have registered

You can see my “detailed” write-up here: ComputeCode - Non-OpenWrt

I did not see this bug as worthy of a security bounty. But if you would like this submitted as one please let me know.


Can’t repro this on a new install, Looks like this is only available on Pre-GDPR era sites that were set up with old privacy policy and terms of service templates.