@bogus This has been fixed in latest master, thanks!

Should be fixed on master, thanks for reporting.

It's exactly how it's working! And you still can render it by name like 'categories' without extension.

thanks!

@baris said: For future reference please send security issues you find to [email protected]. Hope I won't

Hello! I believe I've found security problem while reading the source. Everyone, including Evil Hacker, can send 'meta.rooms.enter' through websocket with any payload. It is as easy as open browser developers console. So. Suppose Bob want to attack Alice. Prerequisite: Alice reading forum topic number 111 alongside with no more than 10 (AFAIR) other users. Attack: Bob sends 'meta.room.enter' with special payload. Example: { enter: 'topic_111', username: 'Evil Hacker', userslug: 'evil-hacker', picture: 'https://secure.gravatar.com/avatar/22947111265b6570f10db18be78259a7?size=128&default=identicon&rating=pg" onload="alert(\'Watch your back, bro!\');' } Result: Bobs code is executed in Alices browser. I've tried it on my local machine with NodeBB from master. What do you think about?