• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

As designed  Bug found in demo

R

ragtek

Guest
#2
Descriptions can contain HTML
Description: You may use HTML

The text (or HTML) you insert here must be valid within a <p> tag.
IMO it's not a bug if you include "wrong HTML :D".

It's the same as if you change a template and delete everything, or include not valid elements;)
 
#4
Thanks for your replies both. It's not just using </div>, I can place <script> tags too, which work when loading the page. I know you can do this with templates too, but boards should have a check IMO.
 
R

ragtek

Guest
#5
Why?
1.Only admins can create/edit these things, so if somebody wants to "destroy/hack" something, he will be able to do this even the data are validated...
2. IMO it's really usable that we're able to use HTML there

My 0.02$
 

Brogan

XenForo moderator
Staff member
#6
Agreed.

I use HTML to display the moderators in each category, amongst other things.
It's also used here on XenForo.com in the customer forums.

XenForo Community Support
You must be a XenForo customer to post in these forums. Ensure your account is listed here.
 
F

Floris

Guest
#7
Exploit your own board as full admin by setting the description to <script>alert('naughty');</script> and feel like a king for a second.