First off, I'm going to be honest and say I'm not one of those brilliant Brilliant users (probably bottom 10%). I am new to JS, webdesign, html, php, JQ, and all the noob basics. To me, Brilliant is one of those giant imperialist CSS tanks that are flawless. I see you people out there making all sorts of witchcraft and inventing calculus. However, I've searched the archived posts and see none regarding this issue, if it even is an issue.
So I've sent a message to Brilliant support asking about this issue about a month ago without anybody answering. I waited a month to see if anybody would bring it up and embarrass themselves. I've got to be delicate here; I could just be making a fuss about nothing because there's no doubt that the staff here knows what they're doing, yet I still want to know if certain fields on the website (search bar and problem headings) are open to rudimentary non-persistent or reflected cross site scripting (XSS). It may even be open to persistent, but I scanned the terms and agreements and it would be impossible to check for that or SQL injections without violating my legal agreement. Another reason I'm reluctant to bring this up out in the open is because some other users might recognize that a form is open and put their malicious JS to potentially steal cookies, variables, phish, log keystrokes, redirect (dangerous), or forge requests, which would be terrible if Brilliant fell to evil chickens or something. But I want this to come into the view an admin, because if just one crazy 6th grader gets on and finds this, he/she might have been stealing cookies from users years back without anybody noticing.
Still, I could be wrong as normal, because XSS is pretty much the number 1 most popular attack vector followed by SQL and XSRF. I do believe that it is just a mistake; I've tested on my own website (with permissions from myself) and found it is remarkably easy to forget just once to sanitize the html field. Plus, this happened to many giants in the past years such as Facebook, Edmodo, Google, Myspace (remember the Sami worm?), so could Brilliant evade an growing flaw before someone exploits it?
Hey, I'm pretty sure half of you nerds already found this and pfsh lol spock, nothing is gonna happen. But if I am wrong, please tell me about how so. I'm new to web flaws, give me a shout in the description so at least I know I'm not yelling into the darkness, I'll update if I forgot to mention something. Also, I intend no harm on Brilliant company I love this website tis of thee viva la brilliante don't get mad at me.