Bobinas P4G
  • Login

  • Public

    • Public
    • Groups
    • Popular
    • People

Conversation

Notices

  1. Hannes (hannes2peer@quitter.se)'s status on Thursday, 01-Sep-2016 20:16:55 UTC Hannes Hannes
    • Christmas Personified as a Catgirl
    • Annah's got the Shotgun
    @moonman @maiyannah you should mention me when you find stuff like this
    In conversation Thursday, 01-Sep-2016 20:16:55 UTC from quitter.se permalink
    • Hannes (hannes2peer@quitter.se)'s status on Thursday, 01-Sep-2016 20:16:55 UTC Hannes Hannes
      • Christmas Personified as a Catgirl
      • Annah's got the Shotgun
      @moonman @maiyannah but it's weird, i'm pretty sure gnusocial used to sanitize the source before.
      In conversation Thursday, 01-Sep-2016 20:16:55 UTC permalink
    • Hannes (hannes2peer@quitter.se)'s status on Thursday, 01-Sep-2016 20:17:55 UTC Hannes Hannes
      in reply to
      • Christmas Personified as a Catgirl
      • MMN-o ✅⃠
      • Annah's got the Shotgun
      @moonman @maiyannah i wonder if sanitation of the source got lost in the migration from saveNotice to saveActivity @mmn ?
      In conversation Thursday, 01-Sep-2016 20:17:55 UTC permalink
    • Hannes (hannes2peer@quitter.se)'s status on Thursday, 01-Sep-2016 20:19:42 UTC Hannes Hannes
      in reply to
      • Christmas Personified as a Catgirl
      • MMN-o ✅⃠
      • Annah's got the Shotgun
      @mmn @moonman @maiyannah the thing is that gs itself sends html in the source field in the api http://qttr.at/1gns
      In conversation Thursday, 01-Sep-2016 20:19:42 UTC permalink

      Attachments


    • Hannes (hannes2peer@quitter.se)'s status on Thursday, 01-Sep-2016 20:21:37 UTC Hannes Hannes
      in reply to
      • Christmas Personified as a Catgirl
      • MMN-o ✅⃠
      • Annah's got the Shotgun
      @mmn @moonman @maiyannah and clients has no way to tell if the html comes from gs or is injected by the user.
      In conversation Thursday, 01-Sep-2016 20:21:37 UTC permalink
    • Hannes (hannes2peer@quitter.se)'s status on Thursday, 01-Sep-2016 20:31:41 UTC Hannes Hannes
      • Annah's got the Shotgun
      @maiyannah yes
      In conversation Thursday, 01-Sep-2016 20:31:41 UTC permalink
    • Hannes (hannes2peer@quitter.se)'s status on Thursday, 01-Sep-2016 20:35:25 UTC Hannes Hannes
      • Annah's got the Shotgun
      @maiyannah the user (client) can send a any "source" when posting to api. imo it should be treated/sanitised by gs just like the notice text
      In conversation Thursday, 01-Sep-2016 20:35:25 UTC permalink
    • Hannes (hannes2peer@quitter.se)'s status on Thursday, 01-Sep-2016 20:43:29 UTC Hannes Hannes
      • Annah's got the Shotgun
      @maiyannah apparently not
      In conversation Thursday, 01-Sep-2016 20:43:29 UTC permalink
    • Hannes (hannes2peer@quitter.se)'s status on Thursday, 01-Sep-2016 20:44:05 UTC Hannes Hannes
      • Annah's got the Shotgun
      @maiyannah and now we'll have to assume it might have not, even if it's fixed in newer gnusocial
      In conversation Thursday, 01-Sep-2016 20:44:05 UTC permalink
    • Hannes (hannes2peer@quitter.se)'s status on Thursday, 01-Sep-2016 20:58:56 UTC Hannes Hannes
      • Qvitter
      • Annah's got the Shotgun
      @maiyannah this is what i did to !qvitter https://git.gnu.io/h2p/Qvitter/commit/632d5f113627df4c158be973aefc1afc018764f4
      In conversation Thursday, 01-Sep-2016 20:58:56 UTC permalink

      Attachments


    • Hannes (hannes2peer@quitter.se)'s status on Thursday, 01-Sep-2016 21:02:35 UTC Hannes Hannes
      • Annah's got the Shotgun
      @maiyannah yes htmlpurifier should be enough, i guess?
      In conversation Thursday, 01-Sep-2016 21:02:35 UTC permalink
    • Hannes (hannes2peer@quitter.se)'s status on Thursday, 01-Sep-2016 21:12:53 UTC Hannes Hannes
      in reply to
      • MMN-o ✅⃠
      • Annah's got the Shotgun
      @maiyannah @mmn although, it would be interesting to see if anyone could come up with a dangerous script with only 32 chars
      In conversation Thursday, 01-Sep-2016 21:12:53 UTC permalink
    • Hannes (hannes2peer@quitter.se)'s status on Thursday, 01-Sep-2016 21:14:13 UTC Hannes Hannes
      in reply to
      • Annah's got the Shotgun
      @maiyannah @mmn e.g. i could do <script>alert("hello")</script> but not <script>console.log("hello")</script>
      In conversation Thursday, 01-Sep-2016 21:14:13 UTC permalink
    • Hannes (hannes2peer@quitter.se)'s status on Thursday, 01-Sep-2016 21:14:51 UTC Hannes Hannes
      • Annah's got the Shotgun
      @maiyannah ok. but the source field is not federated.
      In conversation Thursday, 01-Sep-2016 21:14:51 UTC permalink
    • Hannes (hannes2peer@quitter.se)'s status on Thursday, 01-Sep-2016 22:26:58 UTC Hannes Hannes
      • MMN-o ✅⃠
      @mmn Notice_source is only for known sources. unknown sources are served directly from the notice table
      In conversation Thursday, 01-Sep-2016 22:26:58 UTC permalink
    • Hannes (hannes2peer@quitter.se)'s status on Thursday, 01-Sep-2016 22:28:08 UTC Hannes Hannes
      • Zash
      @zash if it's generated by gnusocial i would consider it safe enough https://git.gnu.io/gnu/gnu-social/blob/master/lib/apiaction.php#L344
      In conversation Thursday, 01-Sep-2016 22:28:08 UTC permalink

      Attachments


Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • Privacy
  • Source
  • Version
  • Contact

Bobinas P4G is a social network. It runs on GNU social, version 2.0.1-beta0, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All Bobinas P4G content and data are available under the Creative Commons Attribution 3.0 license.