Descriptive Problem Summary: I noticed, while tracking down a problem in my GreaseMonkey script, that the hidden input named author does not have quotes around the key. It's the following line, provided in the HTML source when someone replies to someone else's forum post:
<input type=hidden name=author value=Mr. X>
This is a error because it is plaintext, and when there is a space, browsers assume it is going onto the next html value. Although there are no current exploits using it, it is entirely probable that it could happen, but I'm not sure what sort of restraints a key has on it to prevent these exploits. At the very least, however, it's broken HTML.
Expected Results: The hidden input field when replying to a post involving the original poster's key would have that key value quoted, to prevent abuse and have properly formatted HTML.
Actual Results: The key is left unquoted, allowing for possible abuse, or broken html.
Does the problem occur:
Every time? Or how often? Whenever a user tries to reply to a post
On other computers? Yes
In other user accounts? Yes
With other browsers? Yes
Under what circumstances does the problem NOT occur?
Workarounds: None known/needed