Usercard broken on crafted @mention
-
Continuing the discussion from Post count bug:
@racperouk doesn't seem to mind.
<a class="mention" href="/users/raceprouk">@racperouk</a> doesn't seem to mind.
as you can see here i crafted the mention link to have the right link, but the wrong visible text.
I was hoping that the user card would still work and that @raceprouk would get the notification.
wrong on both counts!
rather than getting the username from the link the user card JS seems to get it from the tag contents!
-
-
Genuine bug, or simply misusing the software? ;)
-
@accalia seems to just be screwing with us.
-
@accalia seems to just be screwing with us.
you've seen my usercard, no?
i think the about me line sums me up pretty well.:
In wuv with @RaceProUK
[spoiler]wait. wrong line....sorry: Not necessarily evil, but most definitely mischievous[/spoiler]
-
Well, that is a little odd.
-
huh..... never noticed that before.....
does it happen any time @accalia is mentioned?
EDIT: nope. not that time it didn't
EDIT2: oh. now i see what you did there.
-
huh..... never noticed that before.....
The code snippet Maciej posted? Or something else?EDIT2: oh. now i see what you did there.
[spoiler]It looks like he tried to insert you into me[/spoiler]
-
[spoiler]
It looks like he tried to insert you into me
[/spoiler]
-
@accalia, check raw.
-
i did..... rather later than i should have, but i did eventually.
-
<a class="mention" href="/users/raceprouk">@­accalia</a>
Well this is funny (note the link at the bottom).
-
It looks like he tried to insert you into me
Seems you just ended up on top of her instead.
-
-
no mention notification but you managed to escape the post box again.
-
Now let's see what happens when I stick a poll in that HTML:
- [/poll]
looks like the answer is "nothing interesting"
- [/poll]
-
I believe this is because we reported crafted mentions as a potential abuse vector sometime last summer. As a result, some weird sanitization gets done on the crafted mentions. In other words, it's our fault. You can probably find some remnants of this in T-1000.
-
Nevermind, got better details after some testing.
Seems that there's a difference in the HTML. It looks like the problem is probably that the
span
in the crafted mention is capturing the click and the resulting processing is based on the text in thespan
instead of thehref
attribute of the anchor.
-
I believe this is because we reported crafted mentions as a potential abuse vector sometime last summer.
So now we can craft a mention that links to one profile, shows the usercard of another, and displays as the third.
Isn't that right, @ассаӏіаPJH?
Filed under: wtb better text hiding techniques
-
Even better, click this bit (apologies for the really crude arrow):
-
-
-
Does [omitted]work without a mention?
It works in preview.
-
FSVO of better:
Discourse default
:
Unsure, and CBA to figure out, what's different in
TDWTF default
/Widescreen
.