Arielek

Even without links this is a fantastic tool for phishing attacks. I could even cover the whole website if I wanted, a big no-no. The more convincing I am able to make the attack - the security issue becomes bigger. One thing I am 100% confident is that user generated content should never, ever be able to spoof actual website elements. I am only a frontend developer, but any security researcher would agree after seeing the screenshot. Arguing if this is an issue (it is) would take more time than just to fix this.

Hello. Using fixed positioning it is possible to create a HTML cache description is such a way, that we are able to display convincing official-looking popups/headers. If you place the code below in a cache description, then the website will display a popup message. With proper styling it would look like an official message from the website and could fool many users. It is clear to me, that the website already does some HTML-cleaning and does some checks (even in real-time in the browser), but I do believe it still needs some improvements. User provided HTML 100% should never be able to do this. <div style="position:fixed;z-index:99999;left:calc(50vw - 335px);top:calc(50vh - 335px);"> <div style="background-color:white;border-radius:20px;box-shadow:2px 2px 2px gray;width:650px;font-size:20px;height:calc(30vh);border:3px solid #02874d;display:flex;align-items:center;justify-content:center;"> <a href="https://google.com/" style="color:black;">Free Premium! Click now!</a> </div> </div>

She's very happy, thank you

It's "SpikedSoul"

Hello. I'm a premium user myself for a long time, but I've met a geocaching buddy and she refuses to buy premium, because her money is very tight. I would be very happy if I could get a free month premium trial for her as a suprise since she's very into the hobby. Giving her money for the premium would be awkward Thanks!