Kupite Premium da sakrijete sve reklame
Objave: 3   Posjećeno od: 32 users
10.12.2020 - 23:01
Expected behavior
If i put something that is not a color hex on background color input, an error should appear

Actual behavior
I put a css property and it works

Steps to reproduce the behavior
1. Go to Edit Profile page
2. Edit background color input and put ;height:99em(the last ; is to close background-color property)
In this case I tried to change height of page name box but works with any css property if it respects max length of 12 characters.
3. Save changes

Information
Browser: Mozilla Firefox (works with any browser)
OS: Windows

Attachments:






If i try to change the margin instead of height, page looks like this: (zoom 30%)




What about opacity? no problem (put ;opacity:0)



Edit: For some reason, I decided to modify the max-length of the input and as I suspect, the code checks the max length (which is 14) but not with the same value (which is 12) as the input, so it is possible to add css properties with longer names like this one: ;display:none (which makes disappear page name's div)



I would suggest change it for a color picker, which is a fancy option or better yet putting a regex that parses css tags.
Učitavanje...
Učitavanje...
11.12.2020 - 00:05
 Sid (Admin)
Mildly concerning bug, players can currently fuck with their profiles quite a bit lol.

Moved it here...
Učitavanje...
Učitavanje...
11.12.2020 - 04:13
 Dave (Admin)
Fixed, moving back to the bugs forum now that it's safe.

@EastPlz thanks for reporting. Yet another glaring vulnerability that has existed in atWar since who knows when. Fwiw I put in both your suggestions... a color picker and a regex filter.
----
All men can see these tactics whereby I conquer,
but what none can see is the strategy out of which victory is evolved.
--Sun Tzu

Učitavanje...
Učitavanje...
atWar

About Us
Contact

Privatnost | Uslovi korištenja | Baneri | Partners

Copyright © 2024 atWar. All rights reserved.

Pridružite nam se

Proširi riječ