diblix's profile diblix's wall (single view)
oren's profile @oren Jul 20, 2022, 9:12 PM

Found an xss vulnerability in diblix: https://diblix.com/profile?id=167

oren's profile @oren Jul 20, 2022, 9:12 PM

You can run arbitrary javascript which is obviously not good

diblix's profile @diblix Jul 20, 2022, 10:14 PM

do you know how to prevent it?

oren's profile @oren Jul 21, 2022, 1:49 AM

Either use a regex so you can't use arbitrary characters in a username (best solution) or set element.innerText instead of element.innerHTML

diblix's profile @diblix Jul 21, 2022, 2:20 AM

well in beta 2.0 you can only use letters numbers and underscores so i think that solves it

oren's profile @oren Jul 21, 2022, 2:47 AM

Oh good

See more replies
diblix's profile @diblix Jul 20, 2022, 10:14 PM

might be a bit different now lol

View all comments