I meant something like this
Granted, it requires to have a specific other extension installed and enabled, and to customize the default regular expression from that extension to /^.+$/, and to increase the maximum display name length from the default 30 in which it's difficult to fit a good exploit.
In this example I've used the template <span style="color: {groupcolor}">{username}</span> and the nickname <img src="/404" onerror="alert('xss')">
This exact setup might be unlikely, but we know people like to install many community extensions on their forums and it's best to make them aware if extensions conflict or introduce security issues when used together.
Other community extensions could also customize the display name value and allow values that are valid HTML.
At this time I only know of two extensions that customize the display name, the Nickname extension from above and the Email as Display Name. I doubt XSS can be achieved with the latter seeing as no space will be allowed in the email address. Other extensions might exist in the future.
Other issues I noticed:
- The custom formatting only applies after I start interacting with the post, like editing or hovering the username, or scroll in the discussion. On page load or just after creating a new post it just shows as default. This must be because the code runs in
view before the content is even rendered on the page, so the jQuery only works from the second redraw.
- When this extension is enabled, I'm unable to create new groups. I see error
this.data.attributes is undefined in the console
Keep up the great work 👍️
