WelcomeUser Guide
ToSPrivacyCanary
DonateBugsLicense

©2024 Poal.co

276

https://www.google.com/ <script>alert("hello");</script> <a href="https://www.yahoo.com">link</a>

https://www.google.com/ <script>alert("hello");</script> <a href="https://www.yahoo.com">link</a>

(post is archived)

It is DB stuff because anything put into the DB eventually gets taken out and it needs to be translated into safe information before deposit. Yes there is script handing on removal

[–] 0 pt

ok, you are right, that is stored xss

i remember that from a forum i ran as part of my job years ago, we found an xss bug in the php code and fixing it was difficult because it required rewriting all database entries to fix it. so we changed it to encode on the output and that was much easier and did not require any database encoding.

The only problem with that is it makes the DB non-modular at that point and anyone using it has to know to fix the data coming out but yes

[–] 0 pt

yes, that was maybe in 2008 and the site is shut down for some time now