Ability to inject any code to profile bypassing sanity filter

There is ability to inject any HTML code to user profile page. Some users use it to customize style but it is ruin OGS site styles on profile pages.

Some users include external executables (possible malware) like visitor logging, example GM.Chu1wee.PBI (Visiting this profile may be dangerous)

I think the ability to inject any HTML code must be fully eliminated. Just consider about people with epilepsy. Blinking and high contrast pages is not good for some people.

6 Likes

https://forums.online-go.com/t/a-profile-with-custom-css/29218?u=benjito

1 Like

Link does not work - 404

4 Likes

That discussion is only visible to “regular” users.

2 Likes

Oops, somewhat lengthy discussion on css injection in the regulars lounge

2 Likes

Looks like something new is being developed for sanitisation purposes:

https://wicg.github.io/sanitizer-api/

1 Like

My stress level just went up.

1 Like