User made visiting their profile an autoban

[KatFennec]

Title says most of it. You can put a pound confirmation into the avatar URL slot, which makes viewing their profile an autoban. This could be a very serious problem, as you can also go and trick a user into approving the pounding of one of their pets, or any number of other such things. Any suggestions on fixing this, and also possibly removing the auto-bans?

 

[aquapyrofan]

Title says most of it. You can put a pound confirmation into the avatar URL slot, which makes viewing their profile an autoban. This could be a very serious problem, as you can also go and trick a user into approving the pounding of one of their pets, or any number of other such things. Any suggestions on fixing this, and also possibly removing the auto-bans?

This isn't just limited to avatars, theoretically someone could create an autoban on another site by linking to the page. This is clearly a major problem caused by the autoban system.

 

[Dinocanid]

I personally removed the autobans altogether, since it leads to unnecessary bans (IE: if a user happens to refresh on the pound for whatever reason, boom, banned. Same for adopt center) Here are a few links:
http://www.mysidiaadoptables.com/forum/showthread.php?t=4729 (removal)
http://mysidiaadoptables.com/forum/showthread.php?t=5168 (redirect replace)

They can safely be replaced with redirects and other messages to serve the same function of preventing this (and possible inspect element hacking) without throwing autobans like confetti. Hope these are useful!

 

[aquapyrofan]

I'm pretty sure that hypothetically speaking, while I couldn't pound someone else's pet, I could trick them into pounding their own. All I need is a PM (haven't checked images in PMs though) or shout (definitely would work there) and a little knowledge of how Mysidia and is set up.
Step 1. Get a pet I don't care about, to pound for the URL
Step 2. Set an image URL to the URL for confirming pounding + a little Mysidia Knowledge get their active pet's ID at the end
Step 3. Post in the Shoutbox, so anyone who visits has their active pounded.

Targeted version:
Step 1. Same
Step 2. Check around for the target pet, use their ID at the end of the URL.
Step 3. Set the URL to an image, either in the shoutbox, your avatar, or, if possible, a PM.
STEP 4. As the user would have to load it to even think about reporting it, they're not safe in PM, they'll get the target pet pounded. If it's an avatar or the shoutbox, everyone else who visits any page it appears on will get banned.

Or heck, do it on another site.

Not to mention the security holes caused by CKeditor happily allowing JavaScript.

Currently we're blocking the exploit on our site by disallowing anything as an avatar that isn't an image and has "pound" in the URL (because if it was just the former there's another exploit I found) using regular expressions, but there's got to be a better way.