Ability to inject any code to profile bypassing sanity filter

mikhail.trusfus · April 27, 2025, 12:37am

There is ability to inject any HTML code to user profile page. Some users use it to customize style but it is ruin OGS site styles on profile pages.

Some users include external executables (possible malware) like visitor logging, example GM.Chu1wee.PBI (Visiting this profile may be dangerous)

I think the ability to inject any HTML code must be fully eliminated. Just consider about people with epilepsy. Blinking and high contrast pages is not good for some people.

benjito · April 27, 2025, 1:04am

https://forums.online-go.com/t/a-profile-with-custom-css/29218?u=benjito

mikhail.trusfus · April 27, 2025, 1:07am

Link does not work - 404

BHydden · April 27, 2025, 1:08am

That discussion is only visible to “regular” users.

benjito · April 27, 2025, 1:11am

Oops, somewhat lengthy discussion on css injection in the regulars lounge

martin3141 · April 27, 2025, 9:43am

Looks like something new is being developed for sanitisation purposes:

https://wicg.github.io/sanitizer-api/

ronin3 · April 27, 2025, 10:21am

My stress level just went up.