Since josh posted what was used for the xss attack I wanted to try it for myself.
I basically just copied the bbcode formatter from github and put it into a small test program.
As you can see in the video the parser does not remove html in certain cases. When using [code]...[/code] tags the text in the tag will be echoed without escaping html. When using the [img][/img] tag html added after first img will also be echoed.
I’m not shitting on josh since I would’ve probably made similar mistakes. I guess the lesson learned is that writing a bbcode parser from scratch requires a lot of testing before it gets deployed anywhere.
What I still don’t get is how an iframe is supposed to load html from an opus file.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.