Log In
Flying Weather Castform Don't have an account yet? Register now!
.

Forum Thread

HTML rendered in forum post preview

Forum-Index Bug Reports Resolved HTML rendered in forum post preview
BoomBoy
OFFLINE
Trainerlevel: 77

Forum Posts: 605
Posted: Mon, 13/06/2022 22:12 (2 Years ago)
i found that you can write HTML in the forum post/editpost pages and it appears as if it was working:

however when you post it it appears as the boring old text:


i doubt this is intentional, but it is a very cool mechanic and i think being able to write your own css and divs and stuff would be pretty cool, but thats for a suggestions post maybe.
i thought that perhaps this revealed a weakness allowing for JS injection. i tried with a script tag (harmless code ofc, just seeing if i could show a feed or make a forum post) but it just gave me errors - either riako has fixed this (intentionally or unintentionally) or im just bad at js. it also seems you cant use <link> tags, which was weird, and everything inside a <head> tag was ignored.

<button>this button is a test</button>

edit: i tried writing the "script tag" with angled brackets around "script" and it blocked my browser so i spose thats been fixed? maybe automatically
CatLady
ONLINE
Trainerlevel: 103

Forum Posts: 8,584
Posted: Fri, 24/06/2022 08:50 (2 Years ago)
From what I experienced, there's no "blocking code" in the actual writing of the post. However once you click "post" or "edit" to publish, it checks whether you're allowed anything aside from BBCode. If you're not, it then blocks/disables anything that's more advanced than BBCode.
Credits for avatar to ~Cookie~

Kitties! Riako has no idea what he unleashed with that update🙀
Collecting Lovely Larvesta and Silly Seel Plushies~
Looking for Ice Gems and Flying Gems here! Help me hunt a Shiny Articuno!
(You can win your own non-shiny Articuno in return)
Breeding events for the cause here!
BoomBoy
OFFLINE
Trainerlevel: 77

Forum Posts: 605
Posted: Fri, 24/06/2022 13:28 (2 Years ago)
ok cool. I was worried that it might be a possibility for JavaScript injection but I couldn't get anything to work. it seems like a functioning system at the moment, and if it ain't broke, don't fix it lol