Jump to content

  • Log in with Facebook Log in with Twitter Log In with Google      Sign In   
  • Create Account

Welcome to BZPower!

Hi there, while we hope you enjoy browsing through the site, there's a lot more you can do if you register. The process is easy and you can use your Google, Facebook, or Twitter account to make it even faster. Some perks of joining include:
  • Create your own topics, participate in existing discussions, and vote in polls
  • Show off your creations, stories, art, music, and movies and play member and staff-run games
  • Enter contests to win free LEGO sets and other prizes, and vote to decide the winners
  • Participate in raffles, including exclusive raffles for new members, and win free LEGO sets
  • Send private messages to other members
  • Organize with other members to attend or send your MOCs to LEGO fan events all over the world
  • Much, much more!
Enjoy your visit!

Issue Information

  • #000091

  • Issue

Issue Confirmations

  • Yes (1)No (0)
Locked 
Photo

Minor glitch

Posted by Dralcax on Dec 10 2012 - 06:00 PM

Posted Image
This should be relatively self-explanatory.


~Shockwave~
Dec 10 2012 06:26 PM
HEY! THAT'S ME!!
 
Ehem... yeah. never seen that before... but unless you just have way to much free time and amazing photoshop skills, it's kinda undeniable... so I choose to remain undecided.

It's because <shockwave>'s name picks up as what the browser thinks is an HTML tag it doesn't know, so it doesn't display anything. The only way to fix that is for <shockwave> to change his username. :/


~Shockwave~
Dec 10 2012 06:42 PM
oh... well if Shockwave was open.... but it's not....sooooooooooo.... yeah....
 
than why does it display my name everywhere else?

oh... well if Shockwave was open.... but it's not....sooooooooooo.... yeah....
 
than why does it display my name everywhere else?

Some places have HTML disabled through the PHP. The notification menu just doesn't in this version of IP.Board.


JrMasterModelBuilder
Dec 10 2012 10:05 PM

HEY! THAT'S ME!!
 
Ehem... yeah. never seen that before... but unless you just have way to much free time and amazing photoshop skills, it's kinda undeniable... so I choose to remain undecided.

#END QUOTE

Or a DOM editor, that would be easier. Anyway, the username should have the PHP function htmlentities() called on it. If it is truely being parsed as an HTML tag this could potentially be leveraged in an XSS attack.
 
 
 


Edited by JrMasterModelBuilder, Dec 13 2012 - 09:43 PM.


Wow, it's gone from the quotes, too.


~Shockwave~
Dec 11 2012 05:21 PM
yeah. I see it too...

I've opened a ticket on this with Invision.

Hmm...
[quote name="<shockwave" timestamp="1355182946"]oh... well if Shockwave was open.... but it's not....sooooooooooo.... yeah....   than why does it display my name everywhere else?[/quote]

oh... well if Shockwave was open.... but it's not....sooooooooooo.... yeah....
 
than why does it display my name everywhere else?

Interesting.

Edited by fishers64, Dec 12 2012 - 05:23 PM.


From Invision:

The < and > characters are blocked from display names in IP.Board so they should not have been able to use them. I'm not sure how they managed to use them in their name originally but they are blocked to prevent this type of issue so I recommend changing their name for them to remove these characters.

So, shockwave, I suggest you come up with a new display name, if you please.

locked issue





0 user(s) are reading this issue

0 members, 0 guests, 0 anonymous users