‹‹ Back to Bugs
Get Premium to hide all ads
Posts: 3   Visited by: 32 users
10.12.2020 - 23:01
Expected behavior
If i put something that is not a color hex on background color input, an error should appear

Actual behavior
I put a css property and it works

Steps to reproduce the behavior
1. Go to Edit Profile page
2. Edit background color input and put ;height:99em(the last ; is to close background-color property)
In this case I tried to change height of page name box but works with any css property if it respects max length of 12 characters.
3. Save changes

Information
Browser: Mozilla Firefox (works with any browser)
OS: Windows

Attachments:






If i try to change the margin instead of height, page looks like this: (zoom 30%)




What about opacity? no problem (put ;opacity:0)



Edit: For some reason, I decided to modify the max-length of the input and as I suspect, the code checks the max length (which is 14) but not with the same value (which is 12) as the input, so it is possible to add css properties with longer names like this one: ;display:none (which makes disappear page name's div)



I would suggest change it for a color picker, which is a fancy option or better yet putting a regex that parses css tags.
Loading...
Loading...
11.12.2020 - 00:05
 Sid (Admin)
Mildly concerning bug, players can currently fuck with their profiles quite a bit lol.

Moved it here...
Loading...
Loading...
11.12.2020 - 04:13
 Dave (Admin)
Fixed, moving back to the bugs forum now that it's safe.

@EastPlz thanks for reporting. Yet another glaring vulnerability that has existed in atWar since who knows when. Fwiw I put in both your suggestions... a color picker and a regex filter.
----
All men can see these tactics whereby I conquer,
but what none can see is the strategy out of which victory is evolved.
--Sun Tzu

Loading...
Loading...
atWar

About Us
Contact

Privacy | Terms of service | Banners | Partners

Copyright © 2024 atWar. All rights reserved.

Join us on

Spread the word