xss

[ghost]

Xss injection possible

[img]bb.jpg" onerror="alert(location)[/img]

[jrsprice]

I see the possibilities of XSS however I think those checks should always be performed on the server rather than on the client anyway.

Example: Run an XSS filter when posting the values so sanitation is performed prior to storing them via sql query. It didn't do anything and the click event is incorrect markup due to html entities thus making it void and part of the src url which causes a 400 response code (Bad Request). My input had been sanitized on the server (not client). and

However I do think it may appear to a "hacker" that they can attempt XSS.

I wouldn't consider XSS as an issue since any client input element can be used to attempt cross site scripting. This needs to be performed on the server side and especially if it's running sql queries. I would be more worried about sql injection. Once XSS is saved in a storage and output... that is where the XSS can infect the most, it's output containing valid script.

[jordandelozier]

WysiBB is client side application. Check for any attacks must be on server side. Sever scripts must check any input values.