XSS Issue - Save the innocent MP users!

I've discovered a cross-site scripting vulnerability which has to do with the way quotes are handled in image tag `src` attributes. As you've probably noticed...the background of this site is now black when you visit this thread. I've manage to do this with the following code:

<img=#'onerror=document.body.style.backgroundColor='#000>

Ah, who could forget little Bobby Tables? A slightly different topic (SQL injection), but equally relevant.

If you honestly feel that it's a threat to users, then I recommend deleting your post and reporting it to the MP admin privately.

Why? It's better that users are aware of the issue, in this case. This isn't true of all vulnerabilities.

Call up REI network security and tell them to scan your site with Web inspect or whatever tools they have. Take advantage of big daddy.

So much for responsible disclosure.

As a user, I reasonably expect a site to NOT have XSS vulnerabilities. If there is one that hasn't been fixed, I'd rather know about it. I'm positive that my responsible disclosure of this vulnerability isn't showing any would-be hackers how to do anything they wouldn't have already figured out. If this was something that would affect MP directly (such as SQL injection), I would have avoided creating a thread, and would have contacted the Admins.

Kyle Ondy wrote:So much for responsible disclosure.

Thanks for the notice; this should be fixed. Please continue to bask in your innocence.