Hacker News new | past | comments | ask | show | jobs | submit login

This is not called XSS.

This is just user generated html on subdomains.

Github does the same on github.io. Everybody can make a theirname.github.io page and alert whatever they like too.

So does Gitlab on yourname.gitlab.io, Wordpress on yourname.wordpress.com etc. It is a common practice.


That's only an issue if this is possible for comments. The current behavior is working as intended I'd say.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact