Open reinierl opened 2 years ago
When I: put <img src="" onerror="console.log('You have been pwned');" /> in my bio
<img src="" onerror="console.log('You have been pwned');" />
Then I expect: to either literally see that in my bio when viewing the map, or not see the scriptkiddy HTML injection at all
But actually: "You have been pwned" gets output to the console.
This is a case of XSS.
It's already been fixed with 744cdff, but for the record.
When I: put
<img src="" onerror="console.log('You have been pwned');" />in my bioThen I expect: to either literally see that in my bio when viewing the map, or not see the scriptkiddy HTML injection at all
But actually: "You have been pwned" gets output to the console.
This is a case of XSS.
It's already been fixed with 744cdff, but for the record.