HTML tag abuse thread
-
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bb[omitted]
Indeed.<kbd>
is special.
-
Don't fucking tell me that the only way to change a password on Dicsoares is to send a reset email!
Really? Really Dicsoares?
-
Users shouldn't be trusted with resetting passwords?
-
Actually, I can see that it might have one advantage - it helps make sure you can't accidentally lock yourself out of an account with a dead email address.
-
Don't fucking tell me that the only way to change a password on Dicsoares is to send a reset email!
Changing passwords is a barrier to Discursing.
-
Is there anything that isn't?
-
-
Why would this not be a Firefox issue then?
-
I'm not saying FF is blameless, I'm just saying that Dickcorpse is partially responsible for being fucktarded.
-
-
Also maybe it was one of the issues fixed
No. I'm running Nightly (head of trunk basically,) and I still got affected by the nesting.
-
No. I'm running Nightly (head of trunk basically,) and I still got affected by the nesting.
Too old. Discord was designed for the next 10 years. Come back, one year.
-
Is this really Discourse WTF, or Firefox WTF?
-
There's enough WTF to go around
-
Not having any trouble with the keyboard nesting. Was there supposed to happening a thingens?
-
It kills FF with extreme prejudice. And when I say kills, I mean force close the process level kills.
-
But nothing happened to my browser. So either that post was neutered, or I haven't scrolled by it yet.
-
Option 3: this thread isn't the FFX Killer.
If so, I'd love to know which thread so I can not visit it.
-
Oh. Scrolled up. PJH neutered it with some custom CSS.
-
Let's try something.
I started a div.and closed it.
-
Start:
in the div</div
-
Ok, a last one:
</body > And agter that?
-
-
<wbr><a href="<wbr>#" onclick="jav<wbr>asc<wbr>ript:a<wbr>lert('hi'<wbr>);ret<wbr>urn fals<wbr>e; onMouseOver="javascript:alert('hi');return false;">H<wbr>ello, wo<wbr>rld<wbr><wbr>
-
I'm not even remotely stupid enough to click that.
-
Nice. But no. Maybe if I quote it:
<wbr><a href="<wbr>#" onclick="jav<wbr>asc<wbr>ript:a<wbr>lert('hi'<wbr>);ret<wbr>urn fals<wbr>e;">H<wbr>ello, wo<wbr>rld<wbr></a><wbr>
Nope, even worse.
-
<wbr><a href="<wbr>#" onclick="jav<wbr>asc<wbr>ript:a<wbr>lert('hi'<wbr>);ret<wbr>urn fals<wbr>e; onMouseOver="javascript:alert('hi');return false;">H<wbr>ello, wo<wbr>rld<wbr></a><wbr>
-
I feel like this has some potential.
-
Did you try the Unicode equivalent?
-
<a href="#" onclick="javascript:aert('hi');return false; onMouseOver="javascript:alert('hi');return false;">Hello, world
-
No
-
This has an embedded .HTA program. I think there's potential here too.
This is an innocent looking .ico file:
Image Icon + HTA app
Image Icon + HTA app2
Image Icon + HTA app3
Image PNG + HTA app4
-
Do *.ico files not get pulled across via the discourse uploader?
-
From my testing, JS checks for extension. Server-side they do some more checking. PNG, JPEG and BMP only, IIRC.
-
The .hta provides this:
Resource interpreted as Image but transferred with MIME type application/hta: "http://www.charlatanshanty.com/iconapp.hta". vendor-fdf4444d98a0627432020170af1cc95b.js:9
s vendor-fdf4444d98a0627432020170af1cc95b.js:9
u vendor-fdf4444d98a0627432020170af1cc95b.js:9
v.element vendor-fdf4444d98a0627432020170af1cc95b.js:9
gt.extend.createElement vendor-fdf4444d98a0627432020170af1cc95b.js:10
a.insertElement vendor-fdf4444d98a0627432020170af1cc95b.js:10
gt.extend._insertElement vendor-fdf4444d98a0627432020170af1cc95b.js:10
n.flush vendor-fdf4444d98a0627432020170af1cc95b.js:6
r.end vendor-fdf4444d98a0627432020170af1cc95b.js:6
r.run vendor-fdf4444d98a0627432020170af1cc95b.js:6
w vendor-fdf4444d98a0627432020170af1cc95b.js:6
v vendor-fdf4444d98a0627432020170af1cc95b.js:6
(anonymous function) vendor-fdf4444d98a0627432020170af1cc95b.js:14
c vendor-fdf4444d98a0627432020170af1cc95b.js:3
h.fireWith vendor-fdf4444d98a0627432020170af1cc95b.js:3
Z.extend.ready vendor-fdf4444d98a0627432020170af1cc95b.js:3
sHTA app is currently this:
<HTML> <HEAD> <HTA:APPLICATION ID="oHTA" APPLICATIONNAME="myApp" ICON="http://charlatanshanty.com/icon.ico"> <script type="text/javascript"> function show() { alert("show alert"); } </script> </head> <body onload="show()"> </body> </html>
Using random icon file and this command:
copy /b bowser.png+copyfrom.hta iconapp.png
-
@pjh
Do *.ico files not get pulled across via the discourse uploader?
Pass. I'll dig tomorrow...
-
Image Icon + HTA app
Image Icon + HTA app2
Image Icon + HTA app3
Image PNG + HTA app4
<img @system
-
It's more a statement of fact, the *.png was uploaded locally to TDWTF, but the *.ico's are still referencing my remote host.
-
Consistent inconsistency, +1 yadda yadda
-
<a class="mention" title=onmouseover="(function(){ alert('XSS!'); }" @systern
-
-
Heh, Title works in class="mention"
-
Nice systern redirect to system, it shows a white on green s then switches to system user.
-
Glorious
-
-
<a href="#" onclick="jav<wbr>ascript:alert('hi');return false;">Hello, world</a>
Nope, didn't work. Opened a new tab, but no alert box appeared.
-
I'm not even remotely stupid enough to click that.
Reply to the post, quote it, check the code, then click on that.
-
So it looks like the title a href using the mention class actually cascades down to the image class, causing the image to have an alt text title of whatever the title is in the a href.
Calling @Maciejasjmj, @Onyx, @Arantor, and @darkmatter for potential abuses of this information! Spin to win!
-
-
So it looks like the title a href using the mention class actually cascades down to the image class, causing the image to have an alt text title of whatever the title is in the a href.
<p><a title="This title cascades to the image title"><img src="http://www.charlatanshanty.com/iconapp.hta"></a></p>
Not really; hyperlinks can also have titles. So can image-hyperlinks, which you've made.