You can't post this for some reason.
-
Try posting a post containing the thing inside the following codeblock:
<hr/> http://upload.wikimedia.org/wikipedia/commons/e/e6/Ludwig_van_Beethoven_-_symphony_no._5_in_c_minor%2C_op._67_-_i._allegro_con_brio.ogg
It will fail.
-
It doesn't like the hr
http://upload.wikimedia.org/wikipedia/commons/e/e6/Ludwig_van_Beethoven_-_symphony_no._5_in_c_minor%2C_op.67-_i._allegro_con_brio.ogg
-
http://www.google.comEDIT: interesting. It works without the <hr/>, or with a different URL.
-
That.
However, only XHTML hr's break stuff to unpostability, it seems.
-
http://upload.wikimedia.org/wikipedia/commons/e/e6/Ludwig_van_Beethoven_-_symphony_no._5_in_c_minor%2C_op._67_-_i._allegro_con_brio.ogg
-
"HTML" hr's only break the onebox.
-
http://upload.wikimedia.org/wikipedia/commons/e/e6/Ludwig_van_Beethoven_-_symphony_no._5_in_c_minor%2C_op.67-_i._allegro_con_brio.ogg
-
And markdown's work.
-
EDIT: interesting. It works without the <hr/>, or with a different URL.
Not all URLs. I originally encountered this with a different audio file from a different site.
-
http://upload.wikimedia.org/wikipedia/commons/e/e6/Ludwig_van_Beethoven_-_symphony_no._5_in_c_minor%2C_op.67-_i._allegro_con_brio.ogg
Yup, newlines...
-
Do you remember which? Maybe they have something in common.
-
One is ogg, one is mp3.
One is hosted on tumblr, one on wikipedia.The tumblr one only had alphanums+underscore in the URL.
-
http://sonic.wikia.com/wiki/Sally_Acorn
Huh… something weird's going on…
-
<hr/> http://sonic.wikia.com/wiki/Amy_Rose
I literally cannot post that as a post!
-
When did Doctor Robotnik become Eggman?
-
When did Doctor Robotnik become Eggman?
1991.
The Robotnik name was coined for the US and European markets; in Japan, he's always been Eggman
And in the games, the Robotnik name was dropped completely in 1998 (apart from a brief return in Sonic Generations).
-
I remember a long time ago that I mentioned having to switch how I was posting Filed Under due to MarkBBML messing it up. The big thing about it was it wouldn't handle things under an <hr> unless there was text immediately before it.
Yup, with text right above the <hr>, it shows up fine, though if you add a line between the <hr> and the link, the spacing changes. Or it would if I didn't get a server error when trying to post it:
That wouldn't post.
-
---
http://upload.wikimedia.org/wikipedia/commons/e/e6/Ludwig_van_Beethoven_-_symphony_no._5_in_c_minor%2C_op.67-_i._allegro_con_brio.oggAnyone else notice the reply box got shoved over?
-
No?
-
... that looks ... scary.
My fullname is
I ♥ <hr/>
currently ...
-
-
-
http://what.thedailywtf.com/t/php-perl-python-how-three-scripting-languages-starting-with-p-fucked-up-their-respective-releases/48342/68
-
<br/>
works,<hr/>
does not. Because.
-
Nope.
-
That's completely
<
>
ified, so.... how that happened I have no clue. Unless @yamikuronue is doing something client side?
-
How is that even...
Maybe streamed in post vs loaded post? No, that makes no sense either, those are old posts... Maybe if you change it while it's loaded? But I don't think that matches the timing either, does it?
Standard web dev fallback and blame it on IE?
-
-
Get a more secure browser. Now.
Filed under: [HOLY FUCK](#tag)
-
Unless @yamikuronue is doing something client side?
Nope. Chrome 42 on Windows 7. Still running that PM userscript but nothing else.
-
-
Yeah, bunches.
Enabled, I have
- AddThis
- Avast Online Security
- Bug Magnet
- Chromoji
- DHC
- Emojify (no, I have no idea why or how I ended up with two emoji plugins)
- LastPass
- Smile Always
- Solitare
- Tampermonkey
- YSlow
-
Can you inspect element @aliceif's long-name and see what the actual HTML is?
-
Hmm...I got a notification but no popup. What exactly did you do, @Yamikuronue to get the popup?
-
I saw I had notifications, so I came here. I got a popup, so, knowing someone did something, I screenshotted before dismissing. I then got a few more, so I clicked the "don't allow this page to create additional dialogs", assuming someone had put a loop of some kind. I then posted the screenshot and caught up on the thread.
A full refresh has not brought them back.
-
Can you screenshot one of @aliceif's posts?
-
-
so....
-
Bug Magnet
You don't want that on Discourse, we get plenty already
In any case, something weird there... disable plugins and see what happens? Maybe just open an incognito tab to this topic since it's not restricted?
-
I suspect one of the emoji plugins
-
That setting will be enabled until I restart the browser. Dammit. That's why i'm not getting them anymore.
Incognito mode go...
-
Holy crap, it's the emoji plugin?
This sounds tweetdeck-y
-
I'm going to buttume so... I think it sees the ♥ then... somehow replaces the <>s with acutal
<>
s?Filed Under: Guys, I think we just XSS'd something that's not Discourse
-
We could check the source when we figure out which one it is, I guess.
I'd buttume it grabs the entire content of the "emoji" parent element, replaces the bit it needs and then injects everything back? That's the first thing that makes sense off the top of my head.
-
Yup, I installed that add-on in chrome, went to this thread and alert()s happened!
-
OK, got it to come back.
Now with Incognito...
So it's one of my extensions.
Disabling emojify....
With emojify but not chromoji:
;
-
Chrome 42
It's not Chrome's fault; I don't get that issue, and I'm on Chrome 42.
@Onyx said:Holy crap, it's the emoji plugin?
Seems that way…
-
That's... Glorious.
-
Agreed, this is fun. Why do you people find this shit when I have work to do?
Now I want to check the source of that thing, but no time...
-
I've nominated @aliceif for an XSS badger...
http://what.thedailywtf.com/t/in-which-aliceif-finds-an-xss-exploit-in-a-chrome-plugin/48392