HTML tag abuse thread
-
Chrome 33 is discontinued apparently. http://en.wikipedia.org/wiki/Google_Chrome#Release_history
I suspect they discontinued it when they discovered that not all Discourse exploits worked correctly.
-
Time to reload page/clear css edits....
-
-
Clearly just a bug with the nested css's on that spinner I guess.
I altered all anchor tags to be spinners in css but only like 80% of the links spun, a lot of links stayed right where they were.
-
-
Who wants to take bets on how long it will be before the next such issue is found?
-
My bet is, based on the previous ones, before I get to work tomorrow morning.
So within the next 11 hrs. ( < 0800UTC)
-
You'd think by now that we as a community would be running out of ways to break Discourse.
-
You'd think by now that we as a community would be running out of ways to break Discourse.
How do you break that which never worked properly?
-
By breaking it into smaller bits. There's always smithereenies to blow into more smithereenies.
-
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
Get to work. I did most of the 'stock' types already in that earlier post.
-
You're assuming that I can actually be bothered. Criticising Discourse is easier and more fun for me than trying to actively break it; I do enough of that with software I actually care about.
-
That's pretty much why I stopped with the last set. Then Macie stole my badge:(
-
What can I say, slow day at work.
Oh, by the way...
A tempting attack vector on a forum with public edit history - implant your exploit, change your post to "wait, scratch that", compelling people to check out your edit to see what stupid thing you've said, and bingo, the rebake doesn't touch your XSS.
-
Of note, the double quote work around doesn't work as it only shows the first quote level in edit history.
Bug or feature?
Edit, Keith stop changing your avatar. I keep thinking you're a new person
-
to check out your edit to see what stupid thing you've said, and bingo, the rebake doesn't touch your XSS.
You can't see other people's edits with current wtdwtf current settings.
However, they need to fix that for other people's forums
-
Edit, Keith sop changing your avatar. I keep thinking you're a new person
Would you like me to revert to the creeper, the bo-bomb, or purple and brown?
-
Green creeper
-
Green creeper
Yay, the old @Keith is back
Filed under: I don't know who that new Keith was, but he wasn't as funny as you man...
-
Yay, the old @Keith is back
I'm worried that I've become pigeon-holed and won't be able to get any serious forum work.
-
won't be able to get any serious forum work
Bah, who needs a serious forum when you've got this place
Filed under: I mean like seriously
-
The santa hat really sells it
-
Here
I've created some blocks and a tool to merge them with.
All your changes have to be using the following recipes:
Mud + Stone = }
Wood + Stone = <>and so on.
Happy coding.
-
How to stall a stupid forum troll?
Next post...
-
Comment Loading....
-
-
Testing... Does this notify?
<a @tufty
I would imagine yes, because the @ breaks the html. But you can't notify yourself.
-
<a title="@tufty Quote reply mine, and be amazed.
The baked post and the preview post show different things.
-
OK. what I was getting at is that I can use the "in a tag" approach to get something that ordinarily wouldn't @tag to <a @tag, and I was wondering if it would provide a nifty back-end attack (on the grounds that the notification is generated in-system and thus likely to be less sanitised - so providing an <a @little_bobby_tables tagging attack)
-
Arantor or darkmatter (can't remember which) have quote bombs lying around that look normal but when quoted tag people. I would focus on the image parser if you are looking for a server side attack.
-
[spoiler]<a @tufty [/spoiler]
-
Meh, remote code execution is passé.
I want to fuck up the database structurally. Make an actual infinite topic :)
But fuck that for the moment. Time for bed.
-
Given Discourse's attitude that might not even be impossible.
-
OK. what I was getting at is that I can use the "in a tag" approach
I've been doing the <a @eff_you</a> fake tag thing for days now.
<a href="http://somehackerwebsite.com" @eff_you
-
[spoiler]<a @Arantor @darkmatter [/spoiler]
-
So, to
counterhelp duplicate all this madness:function viewRaw(postID) { var topicID = window.location.pathname.slice(0, window.location.pathname.lastIndexOf('/')); topicID = topicID.slice((topicID.lastIndexOf('/') + 1)); document.location.href = 'http://what.thedailywtf.com/raw/' + topicID + '/' + postID; } $('.fa-link').each(function(index) { var postID = $(this).closest('button').attr('data-post-number'); $(this).closest('.actions').prepend('<button onclick="viewRaw(' + postID + ')"><i class="fa fa-code"></button>') });
Anyone have any ideas on how to trigger this without killing the poor browser?
-
My JS-fu is not working today, but could you amend the $('.fa-link')... section to also add a '#' + postID to show the postID like #293 or maybe even as #1269:293 by sticking topicID in there too?
-
Possibly sleepiness, but I don't see what you're trying to achieve with that? You mean just for display purposes? Currently it adds a
code
icon in front of thelike
icon that takes you to raw version of the post. Should make it open in new tab though.
-
Possibly sleepiness,
Possible "didn't speak clearly" :) Yah, just for display purposes. In front of thecode
icon, would WFM...
I sometimes hand code the[quotes]
stuff 'cause ya' know Discsores… And being able to see that info would be sweet.
-
Yeah... I like that.
var topicID = null; function getTopicID() { if(topicID === null) { topicID = window.location.pathname.slice(0, window.location.pathname.lastIndexOf('/')); topicID = topicID.slice((topicID.lastIndexOf('/') + 1)); } return topicID; } function viewRaw(topicID, postID) { window.open('http://what.thedailywtf.com/raw/' + topicID + '/' + postID, '_blank'); } $('.fa-link').each(function(index) { var postID = $(this).closest('button').attr('data-post-number'); var topicID = getTopicID(); $(this).closest('.actions').prepend('<button onclick="viewRaw(' + topicID + ', ' + postID + ')">#' + topicID + ':' + postID + ' <i class="fa fa-code"></button>') });
Formatting is a subject to change. Also, opening in new window / tab now, depending on your browser settings.
Now if I could only figure out if there's an event I can catch when new posts get loaded into DOM that's not too taxing on the browser...
Edit: Changed to use a global var. Yes, I know, evil, but avoids string parsing for every element. Also, JS is evil in itself anyway.
Incidentally, I tried setting it to
undefined
instead ofnull
(tired, 1AM...), the error was amusing:ReferenceError: undefinded is not defined
Yes, FF, I agree. Well done.
-
Unable to currently like…because…, have set reminder :)
Edit: Done!
-
Click the timestamp or the share button. There's already the post number in there.
-
Because that's obvious
-
Where would you expect to find the text "share a link to post #%d"?
-
Well done for misinterpreting what I was getting at.
I would expect the share al ink to post x to be the share icon. I would, however, expect the 'post x' information to be visible without having to click anything, but this is clearly a barrier to informed discourse.
-
I would, however, expect the 'post x' information to be visible without having to click anything
Does any forum software do that? I've never seen it.
-
Click the timestamp or the share button. There's already the post number in there.
That's soooo totally not the point. When composing a post why should I stop typing, mouse all over the fucking place going clicky-clicky-click?
-
Does any forum software do that? I've never seen it.
In partial form? Yes.
Meanwhile, this whole pile of is a huge monument to "Does any forum software do that? I've never seen it.".
So one more item, that makes you go "WTF??" ‽
-
In partial form? Yes.
Is that a VB forum running on PHP?
"We like Microsoft programming languages, but not enough to use them in production."
-
Yes specifically geared to VBA in fact.
Now, I use VBA a lot. But I understand if it makes some people woozy: