1337101: What are you talking about? This is not pyspades' fault (and I'm not going to get into how 'hard' it is to download a zip file and extract it).

In any case, this is a major bug from Ben's side, and we can't do anything before he fixes it.

It least it has drawn attention. Not everyone has NoScript installed, and yes, this is a server side problem not a problem with pyspades. ALL user input should be sanitised. Rule #1

It's not PySpades fault you know. There is no filtering of server names on the site so anything goes.

And you can't blame something just because you don't know how to use it. It's like you're mad at your bike because you don't know how to ride it.

Whoever that ugly person is in the links now, I hope we can get rid of him soon... this is ridiculous.

Frankly, I'd love an update that made PySpades stop working entirely. It's hard-to-use and frequently abused. Lexsym's ServerBot system is far superior, as are vanilla servers.

This is true. I thought Ben knew something about web development, and that he would escape the server name, but apparently not :( There's not much we (the pyspades developers) can do apart from uploading a new win32 build that escapes it automatically, but the old build is still out, so wait for Ben to fix it.

See thread "what the holy" (why do people posting about this not post useful thread titles?). Also, you could mail Ben (I already did) and the pyspades developers, instead of announcing to the entire world how to do the exploit.

Arbitrary javascript can be executed on the 'Play' page of the site by editing the server name in pyspades ie;

in config file change server name to "<script>alert('oo');</script>"

This could be exploited further.