HTML input in a question tricks the preview (but not the question page)
You should click this link:
See that popup?
The text formatter for questions should probably sanitize its input, and not accept HTML...
Update: The above only works in the preview while entering a question, not when viewing a question. Fair enough. :)
What about this?
<script type="text/javascript">alert('Booh!');</script>Update: Same as above, this only throws a popup at my face in the preview, but as you can see the parser actually shows the HTML code, instead of interpreting it. Alright then.
So what about this, then?
<iframe src="http://vidberg.blog.lemonde.fr/">Your browser does not support iframes.
</iframe>Alright, iframes are properly escaped as well.
So as it turns out, the bug is not what I originally thought: the problem is that the preview doesn't actually preview what will end up on the question page.
Instead, the problem is that preview interprets the HTML and displays the result, while on the question page, the HTML is properly escaped / sanitized.
To see what I'm talking about, try editing this question. :)
Comments