Today, "thanks" to a comment spam I received, I discovered that one can just post comments on linux.com containing JavaScript. The programmer who allowed for such a security hole should be very, very ashamed. At first I couldn't believe my eyes, but a very simple test showed me that it was indeed the case: at the time of writing anybody can post JavaScript on Linux.com via their comment system. Of course I contacted linux.com via email as soon as I discovered this issue.
The above screendump shows the source of a comment I posted. It contains a very simple piece JavaScript which redirects the browser to example.com. Because the script element is added to the HTML of the page on Linux.com without any post-processing, anybody can add JavaScript via the comment system, JavaScript that's way less harmless compared to this small example.
The above screendump shows how the comment appears on Linux.com.
