chapel
New member
Someone on my forum mentioned me while writing some html, now in the post the html is fine and doesn't do anything but display as text, but on my profile it actually rendered the html. I looked into the code and added an html escape to keep it from happening, so I thought I would share that here.
<script>alert('Fillip H.')</script>
Probably won't work, but keep it in mind.
Yeah, so you might want to patch that asap.
<script>alert('Fillip H.')</script>
Probably won't work, but keep it in mind.
PHP:
// Existing line in class_profileblock.php
$message = $message_orig = strip_bbcode($results_r['message'], false, false, false);
// What I added to escape html after
$message = htmlspecialchars($message, ENT_QUOTES);
Yeah, so you might want to patch that asap.
Last edited by a moderator: