Hello
I am just playing with the club and hope to delete this topic but did you know that HTML tags seem to be permitted.
Hopefully this won't work
But it was surprising how much seems to be allowed
I originally got the idea to play with this because I wanted to use ‘<’ and ‘>’ in a post only for the preview to end up showing text in italics afterwards. When I meant to say <I did a thing>, it came out did a thing… and everything else was then in italics, which to me is a bug…
Note to post the characters I’ve used the HTML code rather than direct characters.
Edit: The bit that worried me was XSS but the obvious attempts failed so all phew
After a little more digging, I think its all OK. The one thing is that if there’s an option to turn off HTML codes, that could be useful. Partly because it went a bit awry when I wasn’t meaning to use HTML codes. It seems to be specific to the fact that I used ‘<’ then ‘I’. It wouldn’t have happened with <ink> or <underpants> (although typing those as plain text just doesn’t display them).
Hello <I am a fish> World!
Hello World!
Or maybe I’m just weird for using those characters like that? Or need to to learn to use the code quotes…
Yeah. And the fact that I was using <I am words> was treated as thought I was trying to do something like <i style="font-size:12px;">Hello</i>. So perhaps it is expected behaviour - but is it desirable? I’ll leave that to Simon
In hindsight I probably didn’t need to report myself for moderation…
If it isn’t a problem, may I put a vote in for leaving it on. Or at least seeing if older posts take advantage of it, that might look odd if it’s turned off.
Basically the X-XSS-Protection header is a security feature that can be implemented in web browsers to mitigate the risk of cross-site scripting (XSS) attacks.
The settings: (currently “0”)
“0”: Disables the XSS protection feature in the browser.
“1”: Enables the XSS protection feature and instructs the browser to block the page if an XSS attack is detected.
“1; mode=block”: Enables the XSS protection feature and instructs the browser to block the page if an XSS attack is detected. This option ensures that the page is not rendered even if it is considered safe by the browser’s XSS filter.
Which means the protection is currently disabled. I’m sure they will counter XSS in some other way (not sure) but it common practice to have it set as “1;mode=block”
You can add - report also but that’s overkill I think
I mean, there are a lot of ways to counter XSS and people shouldn’t rely on this header alone. But if you have it enable but enabled as ‘disabled’ (0) you can rather remove it or enable it with 1