keupon_ps2@yahoo.fr said: >but this will work (on phbb 2.0.6): >[url=http://www.google.fr"; onclick="alert('Hello')]text[/url] > >I don't remeber who has said that it will work on every version of phpBB >but i've tested it on phpBB 2.0.4 and it doesn't work. >An other person has said that it only works with this code: >[url=http://www.google.fr"; onclick="alert('Hello');"]text[/url] >I've tested it on 2.0.6 and it works but the code without the ;" works >also. These discrepancies might be due to differences in how web browsers render "bad" HTML, rather than a quirk in phpBB. Since the first example URL doesn't have a closing double-quote character in the onclick value, some browsers may ignore it altogether. It seems likely that some types of XSS-style attacks would only work in certain web browsers. Which browsers (and versions) were used when testing this bug? - Steve
