Beeminder Forum

XSS, kind of?

The advanced data entry form reacts weirdly if you enter HTML. Specifically, if you enter <script>alert(1)</script> or the like, the code in the script tag will be executed.

Now, this itself isn’t a security issue (as far as I can see.) You can’t use this to execute Javascript in the context of somebody else’s session, at least not unless they enter the code in the advanced entry field themselves.

The real reason this is bad is that the existence of one XSS-type issue implies that there may be others lurking. That’s a scary thought—but despite that, this particular bug is so small as to barely be worth fixing. That said, it’s probably worth taking a good look at anywhere else this type of issue may crop up, and ensuring that there isn’t anywhere where an actual XSS is possible.



We did an XSS audit a few months ago, actually, and I’m surprised this didn’t show up. I’ll re-review the results!


I deployed a fix for this. Thanks!