Unexpected behaviour with HTML tags

Hello
I am just playing with the club and hope to delete this topic but did you know that HTML tags seem to be permitted.

Hopefully this won't work But it was surprising how much seems to be allowed
Mouse over me

I originally got the idea to play with this because I wanted to use ‘<’ and ‘>’ in a post only for the preview to end up showing text in italics afterwards. When I meant to say <I did a thing>, it came out did a thing… and everything else was then in italics, which to me is a bug…

Note to post the characters I’ve used the HTML code rather than direct characters.

Edit: The bit that worried me was XSS but the obvious attempts failed so all phew :slight_smile:

3 Likes

Actually @richard_test

You should enable X-XSS Protection to “1; mode=block” instead of 0 in your headers :stuck_out_tongue:

image

3 Likes

The club is hosted by Discourse.
Be one for @simon_tomes if there are any real concerns from @oxygenaddict

4 Likes

After a little more digging, I think its all OK. The one thing is that if there’s an option to turn off HTML codes, that could be useful. Partly because it went a bit awry when I wasn’t meaning to use HTML codes. It seems to be specific to the fact that I used ‘<’ then ‘I’. It wouldn’t have happened with <ink> or <underpants> (although typing those as plain text just doesn’t display them).

Hello <I am a fish> World!

Hello World!

Or maybe I’m just weird for using those characters like that? Or need to to learn to use the code quotes

3 Likes

I think this stems from the use of Markdown, where a subset of HTML is valid.

3 Likes

Yeah. And the fact that I was using <I am words> was treated as thought I was trying to do something like <i style="font-size:12px;">Hello</i>. So perhaps it is expected behaviour - but is it desirable? I’ll leave that to Simon :slight_smile:

In hindsight I probably didn’t need to report myself for moderation…

4 Likes

Hey @oxygenaddict ,

Am very much enjoying reading your exploratory testing notes.

Thanks for discovering this and seeing if this could lead to a security issue.

I’ll take a look to see if it’s possible to disable HTML codes. In the meantime, it’s seems like it’s not a huge issue if we aren’t able to.

2 Likes

If it isn’t a problem, may I put a vote in for leaving it on. Or at least seeing if older posts take advantage of it, that might look odd if it’s turned off.

1 Like

Happy to verify as invalid or won’t fix. :slight_smile:

Been quite an interesting exploration and discussion!

2 Likes

@simon_tomes did you manage to find this setting also? I still see a 0

Hey @kristof ,

did you manage to find this setting also? I still see a 0

I didn’t. What does that mean?

Is that a risk for us to investigate further?

1 Like

Basically the X-XSS-Protection header is a security feature that can be implemented in web browsers to mitigate the risk of cross-site scripting (XSS) attacks.

The settings: (currently “0”)

  • “0”: Disables the XSS protection feature in the browser.
  • “1”: Enables the XSS protection feature and instructs the browser to block the page if an XSS attack is detected.
  • “1; mode=block”: Enables the XSS protection feature and instructs the browser to block the page if an XSS attack is detected. This option ensures that the page is not rendered even if it is considered safe by the browser’s XSS filter.

Which means the protection is currently disabled. I’m sure they will counter XSS in some other way (not sure) but it common practice to have it set as “1;mode=block”

You can add - report also but that’s overkill I think :stuck_out_tongue:


I mean, there are a lot of ways to counter XSS and people shouldn’t rely on this header alone. But if you have it enable but enabled as ‘disabled’ (0) you can rather remove it or enable it with 1 :stuck_out_tongue: