WTF Bites
-
Really? An XSS vulnerability in the example code on the MSDN website?
I expect this shit from StackOverflow or w3fools, but I expected better from Microsoft.
What have you done to your poor font antialiasing?
Also, yes.
-
@sloosecannon said in WTF Bites:
Really? An XSS vulnerability in the example code on the MSDN website?
I expect this shit from StackOverflow or w3fools, but I expected better from Microsoft.
What have you done to your poor font antialiasing?
Also, yes.
Disabled ClearType because Performance for
Remote DesktopCitrix.
-
@cartman82 http://lwn.net/Articles/706585/
Microsoft joins The Linux Foundation
Yup. Now
should find someone else to bully. Oh I forgot he will be mad why Microsoft did not join GNU Hurd foundation. Oh wait, there is no such foundation, and there wont be in our lifetime or the age of the universe
-
@Tsaukpaetra said in WTF Bites:
it still fails in hilarious ways with perfectly valid data sets.
I contend if it's a perfectly valid data set, it wouldn't fail, because it's valid.
<movie_name_here> is a perfectly valid movie name, and yet the script chokes on it.
You know what else is a perfectly valid movie name, and the script won't choke on it?
' onhover='javascript:doEvil();
Filed under: as Discourse taught us
-
@ben_lubar said in WTF Bites:
Compare the length of these code snippets:
<snip>
Which one is more understandable? Which one has an XSS vulnerability? Are they the same one?
Really? Nobody? Nobody wants to wear the
today?
-
Suppose Mallory has compromised partial access to your system. She can't modify any files, but she's found an exploit that lets her insert movie records. Well, that's not much of an attack... Except for that XSS vector that lets her escalate privileges by stealing the session of an administrator. Now she has full access!
Filed under: This is taking me back to when I actually did this.
I was also able to XSS the login form of a site to silently forward entered credentials to a third-party website, and from there transparently redirect the login data back to the original site so nothing seemed amiss. Then I told an admin that I was having trouble logging in from a specific page on the site, and he naturally tried to repro my issue with his own account credentials...
*cough* I mean, my friend was able to do that stuff.
Filed under: Getting into XSRF and social engineering territory now.
, I was actually more proud of my collection of ~40 session IDs belonging to different accounts. I wrote a little GUI to pick what user I wanted to session-spoof.
-
-
@ben_lubar said in WTF Bites:
Well, considering that we have XSSed the forums on multiple occasions...
I only recall one case where XSS was demonstrated after we switched to htmlcleaner, and that was for the same reason that @index shows a number.
Still, given how hard it was for Discourse to get right...
(Because, honestly, despite all the flak we give them, the DiscoDevs are (or were, at one time), probably pretty competent. They just built a horrible, horrible, awful platform and decided to stick with it.)
-
@sloosecannon said in WTF Bites:
(Because, honestly, despite all the flak we give them, the DiscoDevs are (or were, at one time), probably pretty competent. They just built a horrible, horrible, awful platform and decided to stick with it.)
I was having a conversation earlier with a friend about how over-engineered
s tend to be much worse than under-engineered hacks. You have to be at least somewhat smart to fail that hard.
-
@sloosecannon said in WTF Bites:
(Because, honestly, despite all the flak we give them, the DiscoDevs are (or were, at one time), probably pretty competent. They just built a horrible, horrible, awful platform and decided to stick with it.)
I was having a conversation earlier with a friend about how over-engineered
s tend to be much worse than under-engineered hacks. You have to be at least somewhat smart to fail that hard.
Indeed. And I think the over-engineeredness, combined with their (or at least Jeff's) product arrogance was their real problem. They weren't willing to admit it was overengineered and instead went LALALALAIDONTHEARYOUDOINGITWRONGBANNED
-
@ben_lubar said in WTF Bites:
@ben_lubar said in WTF Bites:
Compare the length of these code snippets:
<snip>
Which one is more understandable? Which one has an XSS vulnerability? Are they the same one?
Really? Nobody? Nobody wants to wear the
today?
Um, I can't get mine off, I'll have to wait until I'm a bit more relaxed... But after then, you can wear it if you want... :D
-
@Tsaukpaetra said in WTF Bites:
you can wear it if you want
You know what, just keep it. Keep it and we'll never speak of this again.
-
Ummm? OK? Thanks for that notice, Konsole? Why do you keep telling me that nothing is happening every 10 seconds?
The notifications are configurable and silence is one of the things you can be notified about. It should only trigger when there was activity, but it stopped for some time and it is occasionally useful e.g. if you have some kind of monitoring running in the tab.
I doubt it is on by default, so you have, possibly by mistake, enabled it. Go to the settings and disable it again.
If it does come up every 10 seconds, without intermittent activity on that terminal, that would be a bug. It can be reported, you know.
-
@Tsaukpaetra said in WTF Bites:
Just for clarity, asking for a dog, but, um.... can you maybe highlight where? Do it in blue, so he can tell the difference, if you may...
-
@Tsaukpaetra said in WTF Bites:
How do we know it's an unsanitized string from the network? Especially arbitrarily sourced? Seems to me that if you're interfering with the host already, you don't need an XSS attack...
IT'S A BAD EXAMPLE OF HOW IT SHOULD BE DONE.
&NBSP;
Oh, I seem to have turned on Caps Lock accidentally. Sorry about that.
-
@Tsaukpaetra said in WTF Bites:
Besides, if every example put out was a perfect paradigm of excellent coding, you
'd lose the point of the example amidst all the extra cruft needed to make it more Production Viable.might accidentally teach best practices.
-
There's no way this will ever go wrong. Surely.
-
@cartman82 I like how they don't
typeof fn === 'function'
.Filed under: { "name": "John Doh" }; // This was probably your whole point
-
@cartman82 I like how they don't typeof fn === 'function'.
- That's my code :(
- No it's not idiot me from the past. I just wrote it.
- Constructor is not the same as function.
-
Wanted to maybe go to watch some movie tonight, and ended up at the local theatres' webpage. The following story unfolds:
Let's click on tickets ("biljetter" - no, there's no english version of the page either). Mouse over "Biljetter" ... and:
Ok... Z-layers are fucked up, but whatever. Move cursor down to the second Biljetter.
:fuck:
And to add insult to injury, you can actually click on the first Biljetter (the one that opens the drop-down when hovered over), and this (presumably) takes you to the same place as the option in the drop-down.
On mobile (without adblock), the problem doesn't exist. Instead I'm greeted by a fullscreen pop-over with a tiny [x] in the top that's completely impossible to hit with a finger. Fuck them.
-
@Zecc Did someone say CSS?
-
@djls45 said in Useful error messages.:
This error apparently occurs because I don't have the Developer version of Silverlight installed:
But if I go the website listed, download the installer there, uninstall my current version because the Dev version has an earlier number, and install this downloaded Dev version; then I get this error:
Clicking
Install now
will then install the latest non-Dev version, putting me right back to the beginning. :(
And I can't find the current Dev version anywhere.So apparently the real issue with this error message was that I was trying to use IE in InPrivate browsing mode, but Silverlight can't use its Application Storage in that mode.
And Silverlight doesn't work in Chrome.
I don't have FF or Safari to test whether it works in those browsers' incognito/private browsing modes.Does that make me or M$ TRWTF?
-
Does that make me or M$ TRWTF?
Microsoft announced the end of life of Silverlight 5 in 2012. In 2013, Microsoft announced that they had ceased development of Silverlight except for patches and bugfixes. Microsoft has set the support end date for Silverlight 5 to be October 2021.[6] Silverlight is no longer supported in Google Chrome since September 2015.[7] Since Microsoft Edge does not support plugins, it also does not support Silverlight.[8]
-
@dcon So that means the website developer is TRWTF for using Silverlight.
-
There's a major software suite we use that is still based upon Silverlight in 2016. Better yet, it's not even a web application, it's a desktop application. I did a lot of Silverlight development in a past life and I don't know how you even do that.
-
@mott555 Maybe something like the Steam program, that's basically a custom browser locked to one site?
-
Better yet, it's not even a web application, it's a desktop application. I did a lot of Silverlight development in a past life and I don't know how you even do that.
There is desktop applications built with Node.js.
I guess a Silverlight desktop app isn't the worst
-
@mott555 Maybe something like the Steam program, that's basically a custom browser locked to one site?
I suppose one could do that, but you'd be far better served just using desktop .NET with WPF, of which Silverlight is a subset anyway.
-
Since Microsoft Edge does not support plugins, it also does not support Silverlight.[8]
-
-
So...my 3 yo used the phrase "fucking asshole" correctly.
... sodomy?
I can only hope she hasn't noticed when that may or may not happened when we think she is sleeping.
-
So...my 3 yo used the phrase "fucking asshole" correctly.
... sodomy?
I can only hope she hasn't noticed when that may or may not happened when we think she is sleeping.
:giggi--- {FBI'd!}
-
@mott555 Maybe something like the Steam program, that's basically a custom browser locked to one site?
I can one-up that: Guild Wars 2 uses embedded Google Chrome for some parts of its UI.
-
@ben_lubar You mean they use this? I think that's becoming more and more common, the wikipedia page has an (incomplete) list of places where it's used. Non-chrom{e|ium} webkit is also somewhat popular, see for example EA.
-
Upon going to a news site for a story that vaguely appeared in my FB feed, I got shown this.
I have eliminated the rest of the page because it's not relevant to the
First things first: that grey block at the bottom is the text. It's not merely masked with CSS, it's literally been replaced out with -'s and then obfuscated with CSS.
Second: 'question 1 of 3 or fewer'
does that even mean?
Third: answering the first question 'no, I'm not into sports' still makes you have to answer three questions, of which question 2 is 'how often do you watch sports' (which got a prompt answer of 'almost never') and question 3 being 'which of the following sports do you like: football, cricket, tennis, rugby, cycling or none of the above'.
-
The post previews on the forum main page contain the entire post body...it's just hidden
-
'question 1 of 3 or fewer' does that even mean?
It means that you might have to answer fewer questions depending on your answers.
-
@LB_ given that I picked the branch that should logically give me fewest questions...
-
@bb36e
indeed.
-
Upon going to a news site for a story that vaguely appeared in my FB feed, I got shown this.
I have eliminated the rest of the page because it's not relevant to the
First things first: that grey block at the bottom is the text. It's not merely masked with CSS, it's literally been replaced out with -'s and then obfuscated with CSS.
Second: 'question 1 of 3 or fewer'
does that even mean?
Third: answering the first question 'no, I'm not into sports' still makes you have to answer three questions, of which question 2 is 'how often do you watch sports' (which got a prompt answer of 'almost never') and question 3 being 'which of the following sports do you like: football, cricket, tennis, rugby, cycling or none of the above'.
Wait wait wait WAIT a second! They're stealing Google Rewards surveys?
That's what that is, a Google Rewards survey, and I'll bet they're pocketing the money from that straight out.
I guess this must be the next step in ad-walls...
-
@Tsaukpaetra I think it's a legitimate service offered by Google, I've seen some sites mention trying it out for guests.
-
I was going to post this in What is contrast, but I guess this is a more appropriate thread.
Today I noticed this new speech balloon icon on my address bar:
Here's the popup it opens (the area surrounding the three icons open the same popup, really)
Can you tell which elements below the divider are clickable and which are not?
In their defense, the only clickable element highlights on hover, but to me that word "Block" looks a lot like a actionable command; but no, it is only merely indicative of what the behaviour is now.
Even that being the case, why can't I click anywhere else on the line to toggle the permission? The only clickable element is the cross at the end, which then removes the permissâ wait, that's not right. It removes the blocking of notifications. (double negatives, woohoo!)
After removing the, uh.. memory that I am.. not.. giving it permission to notify me, I now can't turn it back on. Uh, off?. Whatever. The way it was before. I guess I need to wait for the site to try notifying me again.
Filed under: what is Present Continuous
-
@Zecc What about this?
-
-
My WTF of the day:
Went out to have a look at a part of a Javascript library because the console output was garbled when using Powershell. Dug down into the byzantine mess (couldn't simply put the file into a clean room because it pulled dependencies from all over the place - this file would be one of the posterchilds for arguing for Dependency Injection) and finally found a function which actually wrote to the console.
This is the beginning of the function:
_print: function(level, message) { var self = this; // We need to hide the progress bar/spinner before printing the message var progressDisplay = self._progressDisplay; progressDisplay.depaint();
Okay, so we obviously need to have a look at what
progressDisplay
does when itdepaint()
s:// No-op progress display, that means we don't have to handle the 'no progress // display' case var ProgressDisplayNone = function () { }; _.extend(ProgressDisplayNone.prototype, { depaint: function () { // No-op }, repaint: function () { // No-op } });
This will take some time to figure out...
-
I can only hope she hasn't noticed when that may or may not happened when we think she is sleeping.
Maybe you should do that in a different room.
-
@Zecc What about this?
Well the actionable controls are pretty obvious, so we definitely need to redesign that.
-
I can only hope she hasn't noticed when that may or may not happened when we think she is sleeping.
Maybe you should do that in a different room.
Probably, but we don't have the space.
-
-
Seen when integrating a third-party Magento module...
var isServerNginx = ($("#server-nginx").length) ? $("#server-nginx").val() : 0
Why does this JavaScript need to know what webserver it's hosted on?