<button onclick=“myFunction()”>Try it</button>

<script> function myFunction() { alert(“I am an alert box!”); } </script>

    • Teppic@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      I’m thinking that Kobrah who downvoted the post didn’t understand what you were checking, or how innocuous the code you used as a test would have if kbin hadn’t correctly trapped it…

      • melroy@kbin.melroy.orgOPM
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        @Teppic Yea, so for the folks who are thinking what is going on. I was checking whether Kbin is correctly escaping HTML/JS code from the body content when posting a thread or post. If this code create a button on your kbin instance with a pop-up alert, you should really upgrade your kbin instance indeed. As you stated correctly, this is very innocent code can’t do any harm. However, if you are very handy you could do all kind of HTML or JS injection into this site. Without people / users even noticing.