<script>
document.write("This is in javascript!");
alert("XSS Hole!");
</script>
You might want to take a look at this Aika, defiantly not cool.

PS: this is not in the forum dev section because html is disabled there.

YARG!
Talk about a really easy bypass!
Needs to be fixed ASAP!

While this is not fixed, I suggest firefox with noscript, set it to not allow any scripts from anything on the forum.


Or just set any other browser to just not allow scripts.

How do you do that?

How do you do that?

Its a Javascript command, kinda shocked a chat board like this would just allow a user to do something like that under the "Html code".

@XSI: Oh I already had it thank you, but I knew something was up the SECOND the notice popped up...

Hmm, is there any way to deal with this except completely forbidding html?

Depends if you've got control over the code or not. If you do, then it should just be a basic change to a central file. If you don't; you'd want to contact vBulletin, direct them to this page, tell them their code sucks, and turn off HTML while they fix it.

This is really pathetic. With code injection this easy, I could have a full worm up and running before anyone knew what the fuck was going on. Come on vBulletin, I expect more from you!

EDIT: and yes, noscript is really good.

Except that I have noscript whitelisting ulmf.org :p

Interesting, this hasn't been disabled although I disabled [html] tags.

Hmm.

Can someone other than me try posting that again?

<script>
document.write("This is in javascript!");
</script>

looks fixed to me.

Excellent.

I removed the original because it was annoying.

Now I feel sad that I gave up a perfectly good chance to take over the forums and make myself a mod.
/cry

Is that a dare or something... you think you could defeat me?!?

I hadn't seen you around for a bit, I figured I'd have at least some time before the mighty Nunu crushed me.