Your mama may have had eyes in the back of her head, but our admin team just can't see everything at once. It takes a village to make sure TVTropes is running the way it should, so when it comes to spotting tech snafus, dreaming up a better digital mousetrap, or just diagnosing plain old asshattery, the quicker you let us know something's up, the quicker we can address it. See a bug? Point to it and we'll squash it. Have idea for a new feature? Post in the Tech Wishlist.
NOTE: Do not post duplicate bug queries, please check existing queries to see if your issue has already been reported and then comment on it.
This is kind of a big deal. Someone can break this page right now if they wanted to.
Edited by frankye8998We're no strangers to looooove...
I had a dog-themed avatar before it was cool.deleted
Edited by frankye8998Reported the issue.
"For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled." - Richard Feynman
There are multiple security issues including XSS (persistent and reflected) and CSRF.
The following will trigger an alert box:
https://tvtropes.org/pmwiki/query.php?type=%22%3E%3Cscript%3Ealert()%3C/script%3E
https://tvtropes.org/pmwiki/pmwiki.php/WesternAnimation/%22%3E%3Cbody_onload=alert%28%27xss%27%29%3E (https://tvtropes.org/pmwiki/pmwiki.php/WesternAnimation/%22%3E%3Cbody_____onload_=___alert%28%27xss%27%29%3E)
https://tvtropes.org/pmwiki/article_history.php?article=%3Cscript%3Ealert()%3C/script%3E
Changing password to '<script>alert()</script>'. (also don't store passwords in plaintext (if you do))
Changing location to '<script>alert()</script>'.
Changing description to 'bracket /textarea bracket <script>alert()</script>'
Editing bug report with 'bracket /textarea bracket <script>alert()</script>'
Editing bug report with quote <script>alert()</script>
Submitting a bug with <body onload=alert()> as the title.
XSS isn't the only issue. A user's messages can be deleted if they click go to the following page: tvtropes (DOT) org/pmwiki/delpm.php?id=all&conf=1
SOLUTIONS:
- Whenever passing a query, sanitize it.
- Either add a CSRF token to forms or only accept certain referers. Note that the latter may not work do to adblockers.
For more information, please read the following:
https://en.wikipedia.org/wiki/Cross-site_scripting
https://en.wikipedia.org/wiki/Cross-site_request_forgery
Edited by frankye8998