Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://shitposter.club/objects/3a386425-29eb-41ea-9a4a-39ac31c5cd21">cohle (cohle@shitposter.club)'s status on Tuesday, 20-Sep-2022 00:20:23 JST</a><a href="https://shitposter.club/users/cohle" title="cohle@shitposter.club"><img src="https://gnusocial.jp/avatar/4574-48-20220814223239.webp" width="48" height="48" alt="cohle" style="position: absolute; left: 0; top: 0;">cohle</a></section><article><p>Since josh posted what was used for the xss attack I wanted to try it for myself.</p><p>I basically just copied the bbcode formatter from github and put it into a small test program.</p><p>As you can see in the video the parser does not remove html in certain cases. When using [code]...[/code] tags the text in the tag will be echoed without escaping html. When using the [img][/img] tag html added after first img will also be echoed.</p><p>I’m not shitting on josh since I would’ve probably made similar mistakes. I guess the lesson learned is that writing a bbcode parser from scratch requires a lot of testing before it gets deployed anywhere.</p><p>What I still don’t get is how an iframe is supposed to load html from an opus file.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/194476#notice-348354">In conversation</a><time datetime="2022-09-20T00:20:23+09:00" title="Tuesday, 20-Sep-2022 00:20:23 JST">Tuesday, 20-Sep-2022 00:20:23 JST</time> <span>from <span><a href="https://shitposter.club/objects/3a386425-29eb-41ea-9a4a-39ac31c5cd21" rel="external" title="Sent from shitposter.club via ActivityPub">shitposter.club</a></span></span><a href="https://shitposter.club/objects/3a386425-29eb-41ea-9a4a-39ac31c5cd21">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/129706">Untitled attachment</a></label><br><video poster="" controls="controls"><source src="https://static.banky.club/shitposter.club/5485e0adca5096b94bdbd16081d837db371d189d8082728ea07aa1ac37a4f54c.mp4?name=s.mp4" type="video/mp4"></source></video></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
cohle (cohle@shitposter.club)'s status on Tuesday, 20-Sep-2022 00:20:23 JST cohle
Since josh posted what was used for the xss attack I wanted to try it for myself.
I basically just copied the bbcode formatter from github and put it into a small test program.
As you can see in the video the parser does not remove html in certain cases. When using [code]...[/code] tags the text in the tag will be echoed without escaping html. When using the [img][/img] tag html added after first img will also be echoed.
I’m not shitting on josh since I would’ve probably made similar mistakes. I guess the lesson learned is that writing a bbcode parser from scratch requires a lot of testing before it gets deployed anywhere.
What I still don’t get is how an iframe is supposed to load html from an opus file.
In conversationTuesday, 20-Sep-2022 00:20:23 JST from shitposter.clubpermalink
Attachments
1. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice