So I was wondering if it somehow was possible to add some JS or jQuery to your own profile page? Like you can with CSS.
I think it used to be possible but I know at least on the squares they removed all functionality that would allow you to embed JS and its derivatives. Not sure what the situation here is.
short version: no
long version: nope, sorry
https://www.youtube.com/watch?v=dQw4w9WgXcQ
(why the fuck would you use jquery?)
If you could use javascript into a profile,
that would be called a Cross Site Scripting injection (XSS).

If the text boxes in the profiles aloud you to code in javascript,
you could potentially called a for-say external php script to be executed.
So in you could potentially have in that php script something like:
$SQL DETETE from USERS where ID="3" (just an example. to lazy to see how phpfox tables work).
and essentially delete users off the site and or/ add yourself to admin.

It's a pretty dangerous things and granted, external SQLi + XSS injection on a site would
be quite difficult to do in the first place.

tl;dr It can cause major security holes.
xenai said...

(why the fuck would you use jquery?)
If you could use javascript into a profile,
that would be called a Cross Site Scripting injection (XSS).

If the text boxes in the profiles aloud you to code in javascript,
you could potentially called a for-say external php script to be executed.
So in you could potentially have in that php script something like:
$SQL DETETE from USERS where ID="3" (just an example. to lazy to see how phpfox tables work).
and essentially delete users off the site and or/ add yourself to admin.

It's a pretty dangerous things and granted, external SQLi + XSS injection on a site would
be quite difficult to do in the first place.

tl;dr It can cause major security holes.


Really?... An SQL injection like that would never work. You cannot just run an SQL command out of the blue. You would know that if you knew anything about MySQL. And even if you managed to run an SQL injection from somewhere, they would not work if there's just a real_escape_string on GET and POSTS...
blocking XSS injections are fairly easy as well if you just escape HTML, attributes and JavaScript before putting in untrusted data.

And all I was asking if it was possible somewhere, a simple no would have been enough.
All times are GMT -5. The time now is 7:25 pm.