#32 XSS hole in [acronym] tag

[Anonymous]

The default parameter in acronym allows user to escape the current tag and input whatever html content he desires, as the acronym tag doesn't have any allow rule or doesn't do any formatting/escaping to it, exposing the site for an XSS attack.

Usage:

[acronym="><script>alert('hello');</script>[/acronym]

Fix:

Replace {$_default} with {$_default/h} for the rule in nbbc_lib.php (line 198) and/or add allow only word characters to be used there via the allow parameter. I would also add 'content' => BBCODE_REQUIRED as I see no benefit from allowing acronym tags without content