1. Home
  2. Categories
  3. Meta
  4. Dumbbox Hooks?

Dumbbox Hooks?

  • Lorne Kates
    Trolleybus Mechanic

    Does DumbBox raise any events client-side after it's done rendering?

    I'd like to attach a javascript event to that (the same way NodeBB raises action:posts_loaded and shit like that).

    1 ben_lubar 1 Reply
  • ben_lubar

    @Lorne-Kates iframely is completely server-side. If whitelisted third party websites do stupid things, that's not something I can control.

    0 Jaloopa accalia Lorne Kates 3 Replies
  • Jaloopa
    kills Dumbledore

    @ben_lubar said in Dumbbox Hooks?:

    If whitelisted third party websites do stupid things

    like receiving a request for every keystroke someone makes in a browser text box that happens to have a link to the site included in it? Yeah, stupid third party websites

    6
  • accalia
    FoxDev

    @ben_lubar said in Dumbbox Hooks?:

    @Lorne-Kates iframely is completely server-side. If whitelisted third party websites do stupid things, that's not something I can control.

    so what you're saying is we need to set th elist of whitelisted sites to ""?

    2
  • Lorne Kates
    Trolleybus Mechanic

    @ben_lubar said in Dumbbox Hooks?:

    @Lorne-Kates iframely is completely server-side. If whitelisted third party websites do stupid things, that's not something I can control.

    How can it be completely server-side?

    Maybe I'm just thinking of the Twitter dumbbox?

    If I post this: https://twitter.com/RiffTrax/status/792048288841080832

    It will hit the client as this: https://twitter.com/RiffTrax/status/792048288841080832

    And then something client-side happens and it becomes this:

    https://twitter.com/RiffTrax/status/792048288841080832

    2 ben_lubar 1 Reply
  • ben_lubar

    @Lorne-Kates this is the rendered content of the post:

    <p><a class="plugin-mentions-a" href="https://what.thedailywtf.com/uid/1">@ben_lubar</a> said in <a href="/post/1026381">Dumbbox Hooks?</a>:</p>
<blockquote>
<p><a class="plugin-mentions-a" href="https://what.thedailywtf.com/uid/21">@Lorne-Kates</a> iframely is completely server-side. If whitelisted third party websites do stupid things, that&#39;s not something I can control.</p>
</blockquote>
<p>How can it be completely server-side?</p>
<p>Maybe I&#39;m just thinking of the Twitter dumbbox?</p>
<p>If I post this: <a href="https://twitter.com/RiffTrax/status/792048288841080832" rel="nofollow">https://twitter.com/RiffTrax/status/792048288841080832</a></p>
<p>It will hit the client as this: <a href="https://twitter.com/RiffTrax/status/792048288841080832" rel="nofollow">https://twitter.com/RiffTrax/status/792048288841080832</a></p>
<p>And then something client-side happens and it becomes this:</p>
<div class="iframely-link">

	

	<div class="iframely-container">
		<blockquote class="twitter-tweet"><p lang="en" dir="ltr">Our deal of the week is the Mario Bros movie that never should have been made. Seeing is believing. <a href="https://t.co/859wGYP6cW">https://t.co/859wGYP6cW</a> <a href="https://t.co/RXIITh6qjs">pic.twitter.com/RXIITh6qjs</a></p>&mdash; RiffTrax (@RiffTrax) <a href="https://twitter.com/RiffTrax/status/792048288841080832">October 28, 2016</a></blockquote>
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>
	</div>
</div>

    Which is from Twitter's oEmbed API:

    {"url":"https:\/\/twitter.com\/RiffTrax\/status\/792048288841080832","author_name":"RiffTrax","author_url":"https:\/\/twitter.com\/RiffTrax","html":"\u003Cblockquote class=\"twitter-tweet\"\u003E\u003Cp lang=\"en\" dir=\"ltr\"\u003EOur deal of the week is the Mario Bros movie that never should have been made. Seeing is believing. \u003Ca href=\"https:\/\/t.co\/859wGYP6cW\"\u003Ehttps:\/\/t.co\/859wGYP6cW\u003C\/a\u003E \u003Ca href=\"https:\/\/t.co\/RXIITh6qjs\"\u003Epic.twitter.com\/RXIITh6qjs\u003C\/a\u003E\u003C\/p\u003E&mdash; RiffTrax (@RiffTrax) \u003Ca href=\"https:\/\/twitter.com\/RiffTrax\/status\/792048288841080832\"\u003EOctober 28, 2016\u003C\/a\u003E\u003C\/blockquote\u003E\n\u003Cscript async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"\u003E\u003C\/script\u003E","width":550,"height":null,"type":"rich","cache_age":"3153600000","provider_name":"Twitter","provider_url":"https:\/\/twitter.com","version":"1.0"}
    2 accalia 1 Reply
  • accalia
    FoxDev

    @ben_lubar said in Dumbbox Hooks?:

    @Lorne-Kates this is the rendered content of the post:

    <p><a class="plugin-mentions-a" href="https://what.thedailywtf.com/uid/1">@ben_lubar</a> said in <a href="/post/1026381">Dumbbox Hooks?</a>:</p>
<blockquote>
<p><a class="plugin-mentions-a" href="https://what.thedailywtf.com/uid/21">@Lorne-Kates</a> iframely is completely server-side. If whitelisted third party websites do stupid things, that&#39;s not something I can control.</p>
</blockquote>
<p>How can it be completely server-side?</p>
<p>Maybe I&#39;m just thinking of the Twitter dumbbox?</p>
<p>If I post this: <a href="https://twitter.com/RiffTrax/status/792048288841080832" rel="nofollow">https://twitter.com/RiffTrax/status/792048288841080832</a></p>
<p>It will hit the client as this: <a href="https://twitter.com/RiffTrax/status/792048288841080832" rel="nofollow">https://twitter.com/RiffTrax/status/792048288841080832</a></p>
<p>And then something client-side happens and it becomes this:</p>
<div class="iframely-link">

	

	<div class="iframely-container">
		<blockquote class="twitter-tweet"><p lang="en" dir="ltr">Our deal of the week is the Mario Bros movie that never should have been made. Seeing is believing. <a href="https://t.co/859wGYP6cW">https://t.co/859wGYP6cW</a> <a href="https://t.co/RXIITh6qjs">pic.twitter.com/RXIITh6qjs</a></p>&mdash; RiffTrax (@RiffTrax) <a href="https://twitter.com/RiffTrax/status/792048288841080832">October 28, 2016</a></blockquote>
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>
	</div>
</div>

    Which is from Twitter's oEmbed API:

    {"url":"https:\/\/twitter.com\/RiffTrax\/status\/792048288841080832","author_name":"RiffTrax","author_url":"https:\/\/twitter.com\/RiffTrax","html":"\u003Cblockquote class=\"twitter-tweet\"\u003E\u003Cp lang=\"en\" dir=\"ltr\"\u003EOur deal of the week is the Mario Bros movie that never should have been made. Seeing is believing. \u003Ca href=\"https:\/\/t.co\/859wGYP6cW\"\u003Ehttps:\/\/t.co\/859wGYP6cW\u003C\/a\u003E \u003Ca href=\"https:\/\/t.co\/RXIITh6qjs\"\u003Epic.twitter.com\/RXIITh6qjs\u003C\/a\u003E\u003C\/p\u003E&mdash; RiffTrax (@RiffTrax) \u003Ca href=\"https:\/\/twitter.com\/RiffTrax\/status\/792048288841080832\"\u003EOctober 28, 2016\u003C\/a\u003E\u003C\/blockquote\u003E\n\u003Cscript async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"\u003E\u003C\/script\u003E","width":550,"height":null,"type":"rich","cache_age":"3153600000","provider_name":"Twitter","provider_url":"https:\/\/twitter.com","version":"1.0"}

    so...... the solution is to dewhitelist twitter.

    got it.

    also why the absolute fuck is that embedded directly into the page rather than being sandboxed in a onebox?

    that's just ASKING for someone to do a trivial XSS attack against you.

    5 ben_lubar Yamikuronue 2 Replies
  • ben_lubar

    @accalia said in Dumbbox Hooks?:

    that's just ASKING for someone to do a trivial XSS attack against you.

    Yeah, just trivially get whitelisted by iframely on the same level that Twitter is, or trivially inject malicious code into Twitter's CDN.

    You know, trivial stuff.

    1 accalia Lorne Kates 2 Replies
  • accalia
    FoxDev

    @ben_lubar said in Dumbbox Hooks?:

    just trivially get whitelisted by iframely o

    i've seen the default iframely whitelist.

    believe me, crafting an XSS based on that whitelist is trivial.

    and twitter's had successful XSS attacks before.

    5 error 1 Reply
  • Yamikuronue
    I survived the hour long Uno hand

    This post is deleted!
    0
  • error
    Considered Harmful

    @accalia said in Dumbbox Hooks?:

    @ben_lubar said in Dumbbox Hooks?:

    just trivially get whitelisted by iframely o

    i've seen the default iframely whitelist.

    believe me, crafting an XSS based on that whitelist is trivial.

    and twitter's had successful XSS attacks before.

    The best way to get banned your bug fixed is to post a proof-of-concept, preferably an annoying or disruptive one.

    I got jsfiddle blacklisted but quick.

    Filed under: If I XSS myself into being a moderator, can I keep it?

    8 Lorne Kates 1 Reply
  • Lorne Kates
    Trolleybus Mechanic

    @error said in Dumbbox Hooks?:

    If I XSS myself into being a moderator, can I keep it?

    Yes, but since mods don't do anything, you can't either. =)

    7
  • Lorne Kates
    Trolleybus Mechanic

    @ben_lubar said in Dumbbox Hooks?:

    Yeah, just trivially get whitelisted by iframely on the same level that Twitter is, or trivially inject malicious code into Twitter's CDN.

    Wasn't Youtube whitelisted on DickHoressss?

    2 accalia 1 Reply
  • accalia
    FoxDev

    @Lorne-Kates said in Dumbbox Hooks?:

    @ben_lubar said in Dumbbox Hooks?:

    Yeah, just trivially get whitelisted by iframely on the same level that Twitter is, or trivially inject malicious code into Twitter's CDN.

    Wasn't Youtube whitelisted on DickHoressss?

    yep. and we found an XSS vulnerability there too.

    4 Tsaukpaetra Lorne Kates 2 Replies
  • Tsaukpaetra
    Notification Spam Recipient

    @accalia said in Dumbbox Hooks?:

    @Lorne-Kates said in Dumbbox Hooks?:

    @ben_lubar said in Dumbbox Hooks?:

    Yeah, just trivially get whitelisted by iframely on the same level that Twitter is, or trivially inject malicious code into Twitter's CDN.

    Wasn't Youtube whitelisted on DickHoressss?

    yep. and we found an XSS vulnerability there too.

    Unsanitized title string, right?

    1 accalia 1 Reply
  • accalia
    FoxDev

    @Tsaukpaetra said in Dumbbox Hooks?:

    @accalia said in Dumbbox Hooks?:

    @Lorne-Kates said in Dumbbox Hooks?:

    @ben_lubar said in Dumbbox Hooks?:

    Yeah, just trivially get whitelisted by iframely on the same level that Twitter is, or trivially inject malicious code into Twitter's CDN.

    Wasn't Youtube whitelisted on DickHoressss?

    yep. and we found an XSS vulnerability there too.

    Unsanitized title string, right?

    indeed.

    1
  • Lorne Kates
    Trolleybus Mechanic

    @accalia said in Dumbbox Hooks?:

    @Lorne-Kates said in Dumbbox Hooks?:

    @ben_lubar said in Dumbbox Hooks?:

    Yeah, just trivially get whitelisted by iframely on the same level that Twitter is, or trivially inject malicious code into Twitter's CDN.

    Wasn't Youtube whitelisted on DickHoressss?

    yep. and we found an XSS vulnerability there too.

    That's my point.

    2 accalia 1 Reply
  • accalia
    FoxDev

    @Lorne-Kates said in Dumbbox Hooks?:

    @accalia said in Dumbbox Hooks?:

    @Lorne-Kates said in Dumbbox Hooks?:

    @ben_lubar said in Dumbbox Hooks?:

    Yeah, just trivially get whitelisted by iframely on the same level that Twitter is, or trivially inject malicious code into Twitter's CDN.

    Wasn't Youtube whitelisted on DickHoressss?

    yep. and we found an XSS vulnerability there too.

    That's my point.

    mine too actually

    1
red boob 50
Log in to reply