Conversation

Notices

  1. Remote profile options...
    Lyrica Lyrica

    HI RDN

    Sunday, 02-Sep-12 20:09:01 UTC from micro.sweetiebelle.net
    1. Cerulean Lulamoon-Spark Cerulean Lulamoon-Spark

      @minti Oh god please tell me this thing you just did isn't what I think it is. Please tell me they're not that stupid.

      Sunday, 02-Sep-12 20:09:48 UTC from web
      1. Toothpaste Pony! Toothpaste Pony!

        @ceruleanspark Yep, I just did what you think I did and yes they are that stupid.

        Sunday, 02-Sep-12 20:10:23 UTC from web
      2. Omni Omni

        @ceruleanspark HTML?

        Sunday, 02-Sep-12 20:10:32 UTC from web
        1. Thecloakednightmare@gmail.com Thecloakednightmare@gmail.com

          @omni ...............

          Sunday, 02-Sep-12 20:11:52 UTC from web
        2. Cerulean Lulamoon-Spark Cerulean Lulamoon-Spark

          @omni It allows you to configure a local statusnet instance to allow you to post arbitrary html, and then lets you federate posts containing that arbitrary HTML to instances that otherwise wouldn't allow it. If he'd wanted to, he could have inlined some zero day browser exploit.

          Sunday, 02-Sep-12 20:11:57 UTC from web
          1. Toothpaste Pony! Toothpaste Pony!

            @ceruleanspark To be fair, it DOES do some sanitization. Not sure what, but it strips out CSS and script tags.

            Sunday, 02-Sep-12 20:13:28 UTC from web
            1. Cerulean Lulamoon-Spark Cerulean Lulamoon-Spark

              @minti if it doesn't strip iframe tags its all for naught though, as you can just include your arbitrary script within the frame.

              Sunday, 02-Sep-12 20:13:56 UTC from web
              1. Toothpaste Pony! Toothpaste Pony!

                @ceruleanspark Red was messing with iframes earlier. I'm not sure if they work, didn't check. Brb checking.

                Sunday, 02-Sep-12 20:15:05 UTC from web
                1. Cerulean Lulamoon-Spark Cerulean Lulamoon-Spark

                  @minti Also try the infamous youtube double-script tag. Y'know the one that 4chan found.

                  Sunday, 02-Sep-12 20:15:42 UTC from web
                  1. Toothpaste Pony! Toothpaste Pony!

                    @ceruleanspark Never heard of that one.

                    Sunday, 02-Sep-12 20:16:58 UTC from web
                    1. Cerulean Lulamoon-Spark Cerulean Lulamoon-Spark

                      @minti Youtube only sanitised the first script-tag, so if you did <script> <script> it'd allow you to post arbitrary JS in youtube comments. You can only imagine the field day /b/ had.

                      Sunday, 02-Sep-12 20:17:51 UTC from web
                      1. Toothpaste Pony! Toothpaste Pony!

                        @ceruleanspark Oh my god xD

                        Sunday, 02-Sep-12 20:18:20 UTC from web
                        1. Cerulean Lulamoon-Spark Cerulean Lulamoon-Spark

                          @minti And then someone realised the script operates under the google security context and started jacking auth cookies.

                          Sunday, 02-Sep-12 20:18:49 UTC from web
                          1. Omni Omni

                            @ceruleanspark Stuff like that makes me afraid to even try web development. How long until they find an issue with my code that allows them to take over everything?

                            Sunday, 02-Sep-12 20:19:38 UTC from web
                            1. Cerulean Lulamoon-Spark Cerulean Lulamoon-Spark

                              @omni That's one of the biggest issues with web development education in the world today. They're quite happy to teach you how to make stuff, and make it pretty, but at no point do even university classes touch in security. Even basic things like input sanitising and parametrized queries I had to learn myself

                              Sunday, 02-Sep-12 20:23:41 UTC from web
                              1. Omni Omni

                                @ceruleanspark That's... disappointing...

                                Sunday, 02-Sep-12 20:24:29 UTC from web
                                1. Cerulean Lulamoon-Spark Cerulean Lulamoon-Spark

                                  @omni Yeah. I feel like the education is about 10 years behind the field itself. That said, my previous employer had a login form on their website that collapsed in the face of the SQL injection examples from wikipedia, so there are plenty of web developers out there charging money for a service they don't really know how to provide.

                                  Sunday, 02-Sep-12 20:26:32 UTC from web
                                  1. RDN's Lucifer RDN's Lucifer

                                    @ceruleanspark And then there are people like me, with only intuitive knowldge, who make things work by tying them with wire, and everyone with real knowledge and experience faepalmx30 when they see the results!

                                    Sunday, 02-Sep-12 20:28:44 UTC from web
          2. Omni Omni

            @ceruleanspark Oh dear...

            Sunday, 02-Sep-12 20:14:34 UTC from web
      3. RedEnchilada (notice the lack of a space) RedEnchilada (notice the lack of a space)

        @ceruleanspark It's worse unfederated. You can embed music in notices. And iframes. D:

        Sunday, 02-Sep-12 20:17:11 UTC from web
        1. Omni Omni

          @redenchilada Music in notices sounds pretty cool. Auto-playing music in notices sounds pretty damn awful.

          Sunday, 02-Sep-12 20:17:59 UTC from web
    2. Thecloakednightmare@gmail.com Thecloakednightmare@gmail.com

      @pyravia or its aroused

      Sunday, 02-Sep-12 20:11:23 UTC from web
    3. Toothpaste Pony! Toothpaste Pony!

      @widget Repeated a notice off-site with raw html in the rendered version. The raw HTML is shown on this side when repeated.

      Sunday, 02-Sep-12 20:12:05 UTC from web
    4. I am best poni I am best poni

      @pyravia YOU WOULD

      Sunday, 02-Sep-12 20:13:35 UTC from MuSTArDroid
    5. Thecloakednightmare@gmail.com Thecloakednightmare@gmail.com

      @pyravia same.

      Sunday, 02-Sep-12 20:14:20 UTC from web
    6. Cerulean Lulamoon-Spark Cerulean Lulamoon-Spark

      @widget @minti I feel like the way to get it patched as high priority would be to inline goatse and have a bunch of people repost it into Evan whats his faces feed.

      Sunday, 02-Sep-12 20:15:07 UTC from web
      1. Toothpaste Pony! Toothpaste Pony!

        @ceruleanspark Just tried it, iframes don't work.

        Sunday, 02-Sep-12 20:16:19 UTC from web
        1. Omni Omni

          @minti You just tried to inline goatse on Evan's feed? That's evil :(

          Sunday, 02-Sep-12 20:21:14 UTC from web
          1. Toothpaste Pony! Toothpaste Pony!

            @omni No, I tried to inline Google. Don't give me ideas. :D

            Sunday, 02-Sep-12 20:22:23 UTC from web
            1. Omni Omni

              @minti Hey, it was @ceruleanspark 's idea :(

              Sunday, 02-Sep-12 20:23:02 UTC from web
            2. RDN's Lucifer RDN's Lucifer

              @minti Inline lolshock.

              Sunday, 02-Sep-12 20:23:28 UTC from web
    7. Cerulean Lulamoon-Spark Cerulean Lulamoon-Spark

      @widget It gets things done.

      Sunday, 02-Sep-12 20:24:29 UTC from web