On its inaugural day, CCP Karuck has decided to claim that one of the key statements in CCP Sreeg's devblog -- the key statement, really -- about same was either misinformed or was a misstatement. The devblog in question and the statement in question:
People have reported that you were able to inject script into the signatures. While we didn't do validation to prevent the script tags from being inserted into the signature, we did encode the output so that the script was not executed on the client. Basically if you were to put (And this is REALLY simplified) *I had some script here but the blog tool actually sanitized it so just pretend* into your signature all that would happen is that the script, tags and all, would be rendered as text in your signature. If ANYONE has any evidence of this not being the case please shoot me an email to email@example.com but thus far our attempts to do so have shown that at least in that case, we were preventing what would have been a nasty vulnerability from occurring.
CCP Karuck's version, when asked about inserting scripts into sigs, goes like this:
If you are referring to the short period where we did allow signatures on the first (failed) attempt at launching these forums then yes, it was a possibility. But it is a pretty remote possibilty, and this possibility exists on pretty much all public forums that do allow external image linking.
I'd like to underline that this is a remote possibility, and (known) flaws like these have been fixed in all modern browsers.
CCP Karuck, please send an e-mail to firstname.lastname@example.org letting Sreegs know about this ASAP. Thanks.
P.S. Background image for the new forums? Door. CCP's quirky little sense of humor again. ;-)