Skip to:

Security Issue (Javascript Insertion)

  • tom.mccabe


    Hey everyone. I believe there’s a security flaw within BBPress that allows for any forum user to insert JavaScript into their posts. For instance, the following code replaces instances of “oldStuff” with “newStuff”:

    [img]” style=”display:none;” onerror=”this.parentNode.parentNode.parentNode.parentNode.parentNode.innerHTML = this.parentNode.parentNode.parentNode.parentNode.parentNode.innerHTML.replace(/oldStuff|onerror/g,’newStuff’);[/img]

    What are the patching instructions? Thanks.

Viewing 7 replies - 1 through 7 (of 7 total)
  • By default, bbPress does not allow using the img tag, it needs a plugin for this functionality. Of course, the given attributes style and any kind of JavaScript handler is highly unwanted, but it is a weakness in the plugin’s code, which has to be patched asap.



    I’m using the Allow Images plugin (



    I cannot reproduce the bug. The plugin is well written:

    $tags['img'] = array('src' => array(), 'title' => array(), 'alt' => array());

    only src, title and alt attributes are allowed. Can you share a pastebin link with the exact rogue text?



    Oh frack, it’s bbcode-lite.

    I run through post-text so the bbpress parser never fires.

    Fortunately img is disabled by default but I bet people turn it on.

    Working on a fix.



    Double frack, it’s not just IMG.

    Working hard on a fix.

    All BBcode-lite users should upgrade to 1.0.5 IMMEDIATELY

    (regardless if you allow images or not)



    Okay here’s the reality.

    Basically bbPress doesn’t run it’s tag filter on post_text when the text is finally displayed, because it would be too slow.

    Instead it only checks tags during saving time and filters then.

    If an item is not a tag AT SAVE TIME it won’t get checked.

    That is how this is slipping through, because bbcode are not html tags.

    I have a quick, dirty fix.

    Basically anything that gets stuck INSIDE a tag ie. [HERE] = < HERE > is no longer allowed to contain spaces, single quote or double quote. Stuff [blah]HERE[/blah] = <blah>HERE</blah> is okay.

    Preventing spaces alone, in theory, should be enough. Even url or entity encoding won’t get properly parsed. It will simply display as plain text and then you can see who is posting what instead of hidden stuff.

    The only good news is that this problem in theory should not allow admin cookies to be stolen since the last version of 0.9 and 1.x already use HttpOnly cookies which cannot be read by javascript.

    The downside of the quick-fix is that secondary attributes are no longer possible until I come up with another way. Example of secondary would be alt or title etc.

    Many thanks for reporting this Tom!



    I found something that worked on my site (installed june 1st 2018 with current version of bbpress) but apparently can be solved.

    On my site i just typed <script>alert(“hello there”)</script> in a post and the JS was executed (I was logged in as admin).

    When I tried it on this site it did not work. Do I need to setup some filter to achieve this?

Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.
Skip to toolbar