As designed Bug found in demo

[Tah Zonemaster]

Please see this demo for an example: http://demo.xenforo.com/?d=83a9a0b739b3adfc
When you put "</div></div><p><strong>" in the description of a board, it executes that as HTML.

 

[ragtek]

Descriptions can contain HTML

Description: You may use HTML

The text (or HTML) you insert here must be valid within a <p> tag.

IMO it's not a bug if you include "wrong HTML ".

It's the same as if you change a template and delete everything, or include not valid elements

 

[Paul B]

Board Meta Description

Enter a description for your board. This will be placed inside the meta description tag for the forum home page, so avoid using HTML.

Edit: I see you mean forum description, not board description. Specifically this forum: http://demo.xenforo.com/104/index.php?forums/test.3/

As ragtek posted above, it must be valid HTML.

 

[Tah Zonemaster]

Thanks for your replies both. It's not just using </div>, I can place <script> tags too, which work when loading the page. I know you can do this with templates too, but boards should have a check IMO.

 

[ragtek]

Why?
1.Only admins can create/edit these things, so if somebody wants to "destroy/hack" something, he will be able to do this even the data are validated...
2. IMO it's really usable that we're able to use HTML there

My 0.02$

 

[Paul B]

Agreed.

I use HTML to display the moderators in each category, amongst other things.
It's also used here on XenForo.com in the customer forums.

XenForo Community Support
You must be a XenForo customer to post in these forums. Ensure your account is listed here.

 

[Floris]

Exploit your own board as full admin by setting the description to <script>alert('naughty');</script> and feel like a king for a second.

 

[ibnesayeed]

You may also set the forum description as:

<!--

Or

<textarea>

 

[kkm323]

ohh god this demo is so missy

 

[Mike]

As mentioned, this is as designed and documented.