bbcode icon indicating copy to clipboard operation
bbcode copied to clipboard

Published 20 hours ago verified publisher icon chriskonnertz

XSS vulnerability in URL tags

Open Nisto opened this issue 2 years ago • 2 comments

I believe javascript: URLs ought to be filtered. URL tags currently allows embedding malicious inline scripts:

$bbcode = new ChrisKonnertz\BBCode\BBCode();

echo $bbcode->render("[url=javascript:alert('hacked')]malicious link[/url]");

Nisto avatar Feb 14 '23 19:02 Nisto

tbh i plan to make a pull to fix it

ui0ppk avatar Nov 28 '23 15:11 ui0ppk

im a few months late on this but if anyone cares to do it just make it allow specific urls or disallow (like a whitelist or blacklist)

ui0ppk avatar Feb 26 '24 16:02 ui0ppk