Conversation
Notices
-
HI RDN
- Toothpaste Pony! repeated this.
-
@minti Oh god please tell me this thing you just did isn't what I think it is. Please tell me they're not that stupid.
-
@ceruleanspark Yep, I just did what you think I did and yes they are that stupid.
-
@ceruleanspark HTML?
-
@pyravia or its aroused
-
@omni ...............
-
@omni It allows you to configure a local statusnet instance to allow you to post arbitrary html, and then lets you federate posts containing that arbitrary HTML to instances that otherwise wouldn't allow it. If he'd wanted to, he could have inlined some zero day browser exploit.
-
@widget Repeated a notice off-site with raw html in the rendered version. The raw HTML is shown on this side when repeated.
-
@ceruleanspark To be fair, it DOES do some sanitization. Not sure what, but it strips out CSS and script tags.
-
@pyravia YOU WOULD
-
@minti if it doesn't strip iframe tags its all for naught though, as you can just include your arbitrary script within the frame.
-
@pyravia same.
-
@ceruleanspark Oh dear...
-
@ceruleanspark Red was messing with iframes earlier. I'm not sure if they work, didn't check. Brb checking.
-
@minti Also try the infamous youtube double-script tag. Y'know the one that 4chan found.
-
@ceruleanspark Just tried it, iframes don't work.
-
@ceruleanspark Never heard of that one.
-
@ceruleanspark It's worse unfederated. You can embed music in notices. And iframes. D:
-
@minti Youtube only sanitised the first script-tag, so if you did <script> <script> it'd allow you to post arbitrary JS in youtube comments. You can only imagine the field day /b/ had.
-
@redenchilada Music in notices sounds pretty cool. Auto-playing music in notices sounds pretty damn awful.
-
@ceruleanspark Oh my god xD
-
@minti And then someone realised the script operates under the google security context and started jacking auth cookies.
RDN's Lucifer likes this. -
@ceruleanspark Stuff like that makes me afraid to even try web development. How long until they find an issue with my code that allows them to take over everything?
-
@minti You just tried to inline goatse on Evan's feed? That's evil :(
-
@omni No, I tried to inline Google. Don't give me ideas. :D
-
@minti Hey, it was @ceruleanspark 's idea :(
-
@minti Inline lolshock.
-
@omni That's one of the biggest issues with web development education in the world today. They're quite happy to teach you how to make stuff, and make it pretty, but at no point do even university classes touch in security. Even basic things like input sanitising and parametrized queries I had to learn myself
-
@widget It gets things done.
-
@ceruleanspark That's... disappointing...
-
@omni Yeah. I feel like the education is about 10 years behind the field itself. That said, my previous employer had a login form on their website that collapsed in the face of the SQL injection examples from wikipedia, so there are plenty of web developers out there charging money for a service they don't really know how to provide.
-
@ceruleanspark And then there are people like me, with only intuitive knowldge, who make things work by tying them with wire, and everyone with real knowledge and experience faepalmx30 when they see the results!