Able to delete a post by turning it into a comment using XSS evasion test
Expected behavior
Posts in the Steemit should not be deleted. Only comments can be deleted.
Actual behavior
By using XSS evasion techniques, a post can turn into a comment and allow the user to delete it.
How to reproduce
- Add a new post
- Add any content you want
- Edit the post
- In content, add the following:
<BR SIZE="&{alert('XSS')}">
- Post it with the self upvoted
- Unvoted
- Delete
Environment
- Browser: Google Chrome Version 63.0.3239.132 (Official Build) (64-bit)
- Operating system: macOS High Sierra
Visual Reproduction of the bug
Proof of transactions
Thanks to the creator of Steemd for creating such great tool. Without this tool, I believe I wouldn't be able to reproduce this bug.
Posted on Utopian.io - Rewarding Open Source Contributors
Hey @jaysermendez I am @utopian-io. I have just upvoted you!
Achievements
Suggestions
Get Noticed!
Community-Driven Witness!
I am the first and only Steem Community-Driven Witness. Participate on Discord. Lets GROW TOGETHER!
Up-vote this comment to grow my power and help Open Source contributions like this one. Want to chat? Join me on Discord https://discord.gg/Pc8HG9x
good job hahhahahha share share steem
Hahahha I believe it will be fixed
Great find and nice clear report!
Thank you for the contribution. It has been approved.
You can contact us on Discord.
[utopian-moderator]
Hahaha so this is not a bug but a hidden feature :P Updating it to add honor the creator of Steemd.