09-28-2004, 03:16 AM
Quote:html may be turned off in the posts, but can it not still be run from a tooltip, like that? I mean if you hadnt put in the fix, would this not work:
if i started the post with:
">Hijacked Thread name here</a>
surely that would actually work, no?
Possibly it might have worked - the text in the database is stored "as is" except for adding IDs to bbcodes that will be translated (that's why you might se [b:38c93fd910] or something similar sometimes). I may have forgotten to translate the characters coming out of the db and into the title though.
Oh, and for some reason phpBB seems to use htmlspecialchars a lot...