Welcome to Jester's Trek.
I'm your host, Jester. I've been an EVE Online player for about six years. One of my four mains is Ripard Teg, pictured at left. Sadly, I've succumbed to "bittervet" disease, but I'm wandering the New Eden landscape (and from time to time, the MMO landscape) in search of a cure.
You can follow along, if you want...

Tuesday, September 6, 2011

Left hand, meet right hand

The new EVE Online forums are back up this morning, so be ready for that.  ;-)

On its inaugural day, CCP Karuck has decided to claim that one of the key statements in CCP Sreeg's devblog -- the key statement, really -- about same was either misinformed or was a misstatement.  The devblog in question and the statement in question:
People have reported that you were able to inject script into the signatures. While we didn't do validation to prevent the script tags from being inserted into the signature, we did encode the output so that the script was not executed on the client. Basically if you were to put (And this is REALLY simplified) *I had some script here but the blog tool actually sanitized it so just pretend* into your signature all that would happen is that the script, tags and all, would be rendered as text in your signature. If ANYONE has any evidence of this not being the case please shoot me an email to security@ccpgames.com but thus far our attempts to do so have shown that at least in that case, we were preventing what would have been a nasty vulnerability from occurring.

CCP Karuck's version, when asked about inserting scripts into sigs, goes like this:
If you are referring to the short period where we did allow signatures on the first (failed) attempt at launching these forums then yes, it was a possibility. But it is a pretty remote possibilty, and this possibility exists on pretty much all public forums that do allow external image linking.
I'd like to underline that this is a remote possibility, and (known) flaws like these have been fixed in all modern browsers.

CCP Karuck, please send an e-mail to security@ccpgames.com letting Sreegs know about this ASAP.  Thanks.

P.S. Background image for the new forums?  Door.  CCP's quirky little sense of humor again.  ;-)


  1. Hahahaha! This just made my day! Thanks for pointing it out :)

  2. I'm pretty sure Karuck is referring to cross-site scripting attacks, while Sreeg is talking about actual code, with the appropriate tags surrounding it, typed into the box where you put your signature executing on any machine that viewed that signature.


Note: Only a member of this blog may post a comment.