Cities: Skylines wishlist entry pops up "1" and can cause the browser to crash.

"a","alert(1)"] 23 hrs. ago manifest_pw
"></img src=x onerror=alert(1)/>

Yay.

Hmm. Dangerous stuff. Input not properly checked/encoded.

Maybe you should have posted a screenshot instead...

You've been nasty :D

Well, the wishlist is in beta. :-P

I just someone has alerted The Blue Ones?

Wow, this is a really nasty bug. If someone wanted to be evil (which you always have to assume), it would easily be possible to steal people's session information and possibly login information, without anyone noticing.

I clicked your link to see and it crashed my Chrome and I lost all my tabs. Thanks for that.

Can anyone confirm this? I am not so sure this is true.

Agreed. Although a big "DON'T VISIT THE WISHLIST FOR THE LOVE OF GOD DON'T DO IT SOMETHING'S SERIOUSLY WRONG THERE!!!" probably would have been even better. Oh well, at least if my account gets hijacked now I know why. Because of tfishell. :P

Just to explain a little bit: The thing is, once you are able to insert arbitrary JavaScript code into a website (which obviously is the case here), you can execute that code with the permissions the user's webbrowser grants the scripts on that page (the browser simply cannot distinguish that malicious code from normal code used by the website), which means, the script has access to all data available to to it immediately through the global JavaScript context, as well as through any AJAX script or any website URL on that same host. So the script could possibly (and this is very likely as there does not seem to be a validation of that change through a confirmation email) even change your own password without you knowing it.

Adding more atmosphere:
https://youtu.be/31Zo-NK1p-g?t=136
Сan you be safe if you use Galaxy only?

Guys, guys, it's all fine. I'm sure if there was a problem Gog would have informed us!

Or maybe on the contrary, huh. Moreover they could not know about it.