Okay I've narrowed it down to this:
- Sending the following text does not trigger anything:
<input onclick="new();" /><input onclick="new();" />
- Nor does this:
<input onclick="getElementById()" />
- This neither:
<input onclick="document.getElementById" />
- But if you take example #3 and add an opening bracket (resulting in
...ById("...
, the XSS Author is triggered.
- But this surprisingly works again although being valid JavaScript and thus be as malicious as everything else:
<input onclick="document.getElementById ()" />
Go try it yourself.
Conclusion: it's not about
phpBB's preview onsubmit handler, it's about the payload you submit.