February 13th, 2020 at 6:32 PM
Haha, you made my day by NOT reporting that as a bug. People used to complain that it wouldn’t let JavaScript be posted in announcements. 
I went out of my way to make sure it didn’t. Incidentally, the MyBB ACP is full of security holes (I’ve seen several SQL injections out in plain code), but it’s the ACP. If someone can access the ACP, you’re already screwed.
If you absolutely need JavaScript, you have to explicitly declare a different template with the [@template:] tag, and then it just loads the raw template (which could have whatever you want in it) and runs with it. You can add templetes anyway from the ACP, so this is more of an advanced mode feature than it is a security issue. It’s there, for people who wanna do crazy things with it and who want to get a little more creative.
There was technically little reason to really sanitize anything from the ACP because any function that is loaded by the ACP at all kicks you out if you aren’t logged in as an admin. But I felt it was lazy to not sanitize anyway.
I went out of my way to make sure it didn’t. Incidentally, the MyBB ACP is full of security holes (I’ve seen several SQL injections out in plain code), but it’s the ACP. If someone can access the ACP, you’re already screwed. If you absolutely need JavaScript, you have to explicitly declare a different template with the [@template:] tag, and then it just loads the raw template (which could have whatever you want in it) and runs with it. You can add templetes anyway from the ACP, so this is more of an advanced mode feature than it is a security issue. It’s there, for people who wanna do crazy things with it and who want to get a little more creative.
There was technically little reason to really sanitize anything from the ACP because any function that is loaded by the ACP at all kicks you out if you aren’t logged in as an admin. But I felt it was lazy to not sanitize anyway.
