Just letting you know I'm undoing the changes I did earlier, I had no intention of leaving it up for any prolonged length of time. Yes, I was the guy who "hacked" some of the older posts. I just really wanted to show people how old and vulnerable the site really is.

I'm well aware that the admins know about the issues in the site, even within the past couple of months they added Cloudflare WAF to the post search page to protect users and even slayerduck has said the site needs replacing. But the lack of urgency to fix the problems, especially when users are at risk isn't tolerable. In doing this in such a public manner I hope they'll be more urgent in addressing the problems. Sorry if I caused you admins any stress; don't worry, I'm not out to hurt you.

I care about this site, I really do. I just want to feel safe when using it. Maybe there was a better way to do this, if there was I don't know how, but it is what it is. I'm not gonna disappear, I'll send in bug reports, I hope it'll get better from here.

Note to Users:

None of your data was compromised, if you viewed the posts.
Although, if someone was malicious they could have stolen your account easily.
The script just that changes the post's image to a rickroll and creates that popup box.

Here's the script that was loaded:
setTimeout(() => { image.src = `rr.noordstar.me/static/rick.gif`}, 2000); setTimeout(() => {alert(`Inform the site owner, that they should use a more secure booru: pastebin.com/66KaEV1x`)}, 6000);

My my what a scallywag

We're doing our best, but the sheer age of the site and lack of maintenance of the current codec is proving to be extremely annoying to attempts to move to a better codec.

The better way to do this whole thing was to just not fucking injecting code into posts, and instead sending a DM to an admin with potential solutions to the problem of our outdated codec making a move to an actually maintained codec easier. We get that the site is insecure as fuck, and we get that you're trying to help, but doing your white-hat hacking with script injection does not help and is not appreciated.

We have a contact email right on the front page, injecting trash and vandalizing the site sources on 100's of post show absolutely no intent of helping or caring about the site what so ever. The correct way would be to take a single post, exploit it as a proof of concept then use our contact email. Literately nobody wants this, you accomplished nothing but vandalized a 7 year old software/abandon ware niche site. We will keep this post up as a record of this interaction. The XSS injection can lead to session theft (not password) and thus we will block any changes until further notice. Expect days.

P.S You don't know what you're taking about as CF free version don't even have a WAF. Thanks

EDIT: post/view sources no longer have XSS so i'll undo the block until more problems are found.