|
|
|
|
|
|
by neomeme
6962 days ago
|
|
|
"almost everything" is a bit of an overstatement, I think. I did incorrectly assume that news.YC was based on reddit- I've since corrected that. "This allowed users to make links in the comment section that could run javascript that could steal your cookie and your login details" would be more accurate. The issue has(very speedily) been resolved since, but there is no need to make light of a textbook XSS exploit. |
|
|
Well the rest of the Internet disagrees with you.
--would be more accurate.
Yet you continue to claim reddit doesn't "validate input in any text boxes on the site."
--creator of reddit found the same exact exploit months ago
No. The exploit on YC news was an XSS exploit in link submissions that allowed me to run javascript on any YC user's client.
--textbook XSS exploit.
Hardly. There was no hidden JS, which is the defining characteristic of an XSS exploit. Certainly we shouldn't allow JS links, but making the claims you have are nothing more than a bogus stretch for attention.
Congrats on receiving it...