http://i.imgur.com/GCTE1gb.png
meow :3
Posted 01 June 2014 - 06:54 PM
Your image doesn't seem to work. Could you update it?
Posted 01 June 2014 - 08:25 PM
Ah, whatever. I'll just explain it fully:
When chats are sent from the server dynamically (ie via websocket, not as part of initial page load), usernames aren't escaped. So if you set your steam username to e.g. `<script>alert('xss')` and then send a message on a lobby chat or on the global chat, everyone that has that page loaded will have that javascript executed when they receive the message.
Posted 01 June 2014 - 08:41 PM
Alright, the devs noticed. It should be fixed tomorrow.
Thanks for reporting
Posted 01 June 2014 - 10:43 PM
Thanks for pointing this out Furl
I've hidden this topic until deploy goes out, since this is quite an exploitable bug
Fixed
|
Completed
Feedback and Support →
Bug Reports →
Tf2Center doesn't count my hours played on TF2 anymoreStarted by Jim carrey , 09 Jun 2019 00 |
|
|
Completed
Feedback and Support →
Community Support →
Can't sign inStarted by First Mate Jepeto , 10 Jul 2018 00 |
|
||
|
Completed
Feedback and Support →
Requests & Suggestions →
Update 6s whitelistsStarted by Sentinel , 22 Jan 2018 00 |
|
|
Completed
Feedback and Support →
Requests & Suggestions →
dm_whiskasStarted by sage78 , 07 Dec 2017 00 |
|
||
Completed
Feedback and Support →
Bug Reports →
Archive →
Offered reconnection but can not rejoin lobby upon crashStarted by Evadne W. , 16 Nov 2017 00 |
|