Well, everyone was warned to not try XSS, even for testing, or they would get banned by the filters.
Am I correct @MattDESTROYER?
Well, everyone was warned to not try XSS, even for testing, or they would get banned by the filters.
Am I correct @MattDESTROYER?
I might have succeeded … lol
(and then got myself banned again trying to push the limits lol)
I recommend trying some RegEx like this: <\w+.*( *on\w+ *= *('|").*('|"))+.*?.*>
(case insensitive as well, gmi
is what I would do) to be more successfull with catching XSS that exploits on
attributes. Here’s a demo of that RegEx…
Hm. What if, and hear me out, I distribute an CSS injector to everyone, so then you can’t ban them all?
Try using DOMPurify
or something similar rather than playing whack-a-mole but with exploits and XSS attacks.
or instead, just replace the following:
< <!----> <
> <!----> >
& <!----> &
" <!----> "
' <!----> '
<!-- Correct me if I'm wrong -->
That would prevent using HTML within posts, which from what I understood was intentional, although since you can use markdown it may be pointless and worth it
you could either…
For example, I tried using markdown, but the styling and the XSS filtering was kinda messed up. personally, you don’t need HTML in MD (unless you need a summary/details group, which could be easily implemented by creating your own standards or by not implementing it at all)
The Markdown converter Element got converts to HTML…
By removing certain characters, you are essentially making your users have to guess what the XSS filter will do with the message. For example, transferring code snippets would be impossible due to the removal of certain characters.
At the time, I didn’t know, and still now, I don’t have much clue about it.
What do you mean by that?
@QwertyQwerty88 Also, I was looking through the code and saw this:
# Thanks to Phind
Who is Phind? @python660?
not me, my name starts with J
Typo
# Thanks to Phind
Who is Phind?
Not enough people know about him
Yes, I’m planning on that.
I personally prefer x {units}
ago as that way you can take a screenshot without having to blur out your timezone. Perhaps you could add that too as a toggled feature?
I’ve added it. I can’t test it because something is down right now. Hopefully it works.
Some of the upcoming updates include emojis, better API, better timestamps, improvements to hacker theme, and more!
We also now have a new list of admins: @element1010, @QwertyQwerty88, @MiloCat, and @Darkoknight.
Please, do not use XSS, inject <link>
s or <iframe>
s, as 99% of the time you will be auto-banned.
A bug reported by @cldprv has also been fixed: Opening tags never closed keep on going.
Thanks to @QwertyQwerty88 for some these updates!!!
Hey
can I help? python flask/jinja templates are my kind of thing
I never got a reply to this question