[jenoer]

@robdelacruz: I have a few security-related findings for you that you might want to take a look at:

- I can inject any JavaScript in Titles, Tags and possibly other locations.

- By manually changing the value of the `userid` cookie, I can log in as any user ("1" for admin). This also allows me to access the admin section of the website.

- It's highly recommended to enable "HttpOnly" for session cookies. (Secure and SameSite should also be more strict if the application allows it)

Other remarks:

- There should be a limit on the length of submission titles, these are close to infinite it seems.

Edit: It seems others are completely defacing the board by using these tricks. I just want you to know that it's not me.

[robdelacruz]

Thanks for the bug reports. Much appreciated. Will take a look at these one by one. Hopefully to get the site back up and running.

Source code is at: https://github.com/robdelacruz/newsboard

[zxcvbn4038]

This is why we can’t have nice things! Citibank had the same issue five or six years ago where once you logged in you could change the URL to any account. I think they lost something like $36 million before the hole was plugged.

[willio58]

This is hilarious, people are having a javascript alert conversation on this site.