[C-2] Stored XSS — post bodies rendered raw in thread template

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 1 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: CRITICAL

Location: templates/forums/thread.php:281, 356, 374

Bug: <?= $post['body'] ?> / <?= $bestAnswer['body'] ?> with neither $e() nor MarkdownService::purify().

Fix: Wrap in MarkdownService::purify((string) $post['body']), matching post-history.php.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:25pm

Resolved.

Wrapped all three raw-body outputs in templates/forums/thread.php through MarkdownService::purify():

  • Best-answer body (line 281)
  • Deleted-post body shown to super admins (line 356)
  • Main post body (line 374)

Defense-in-depth against any future write path that skips purification. Matches the pattern already used in post-history.php.

Locking this thread.

Related Discussions

[forum.post_purged] Purged post #151 in thread #163
Admin System Log Files · 0 replies · 1 views
[M-17] startConversation (POST) doesn't check recipient role >= 2
Security Issues · 0 replies · 0 views
[M-4] SystemPostService::postCriticalLogs can loop on persistent forum-post failures
Security Issues · 0 replies · 1 views
[H-14] Forum rules stored unpurified
Security Issues · 0 replies · 1 views
[H-13] Escalation post body written raw
Security Issues · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy