Anonymous 07/22/22 (Fri) 12:36:07 No. 10364
wat
Anonymous 07/22/22 (Fri) 22:14:11 No. 10366
I keep forgetting custom markup is a thing, which is a shame, because I like the feature a lot.
Anonymous 07/22/22 (Fri) 22:18:43 No. 10368 >>10369 >>10422 >>12280
><> Golden fish
Anonymous 07/22/22 (Fri) 22:38:41 No. 10370 >>10371
i will patch this sometime... I have restrictions(opacity and position) on the attribute override syntax, but obviously there are so many CSS rules that I'll forget a few things that will cause problems occasionally. But if no one is abusing it then I'll probably only target the really problematic ones such as invisible text. This styling doesn't show up on the vichan UI so it's not a problem to moderate, but might be tricky to see sometimes.
Anonymous 07/23/22 (Sat) 16:29:36 No. 10371 >>10375
>>10370 The big thing you need to watch out for is stuff that loads content from external URLs, which is a privacy issue because it could be used to log IPs.
Anonymous 07/23/22 (Sat) 18:34:12 No. 10375
>>10371 doesn't work by design since the field doesn't allow for ( )
Though, explicitly disallowing external url is for the best.
Anonymous 07/25/22 (Mon) 05:59:55 No. 10422
>>10368 your fish kind of changed color...
Anonymous 07/25/22 (Mon) 08:10:52 No. 10423
I'm working out hypothetical issues with the feature and color changes are going to have to be restricted to dark themes(everything but kissu.css) since having a situation where some posters are preventing users of certain sheets from reading their posts is very problematic. Likewise some ways to make text hidden or very unreadable on dark sheets will have to be removed.I missed this too sigh
Anonymous 07/26/22 (Tue) 04:31:25 No. 10430
abawawa abawawa
Anonymous 07/26/22 (Tue) 11:04:38 No. 10431 >>10435
Will be allowing url to be used with relative domains only. Various failsafes in the attribute override parsing will guarantee that there's never an HTTPS. the following checks are made: if( /url\((?:"|'|)https?:\/\/(?:[^ ]+\.)?[^ ]+\.[^ ]+?(\/[^'"\)]+)?(?:"|'|)\)/gui.test( style_parts[1] ) ){ error_list.push({ [style_parts[0]] : "url-can-not-use-https.Use: url(/qa/thumb/1638594960389.webp);"}); style_parts[1] = style_parts[1].replace( /url\((?:"|'|)https:\/\/(?:[^ ]+\.)?[^ ]+\.[^ ]+?(\/[^'"\)]+)?(?:"|'|)\)/gui , "url($1)" ); } // redundant, do not let URL this create an exploit if(/https?/gi.test(style_parts[1])){ error_list.push({ [style_parts[0]] : "for-some-reason-https-was-not-removed...terminating-rule"}); style_parts[1] = "unset"; }
Anonymous 07/26/22 (Tue) 15:49:48 No. 10435 >>10437
>>10431 You can get around a search for "https" by CSS escapes, like so:
\0068ttps
Anonymous 07/26/22 (Tue) 20:01:54 No. 10437 >>10438
>>10435 \ still a forbidden character.
122 Worth examining and seeing if it gets through
Anonymous 07/26/22 (Tue) 20:48:35 No. 10438 >>10439
>>10437 data: URIs could also be an issue, particularly if they're to something like SVG that can load subresources.
Anonymous 07/26/22 (Tue) 21:00:41 No. 10439
>>10438 It doesn't effect because I forgot to make the server handle case insensitive input.
very nice,
Anonymous 07/26/22 (Tue) 21:02:25 No. 10440
kind of complicated. Checking for HTTPS is the wrong approach apparently. Rather will have to force URLs to be relative
Anonymous 07/26/22 (Tue) 21:55:14 No. 10441 >>10444
Javascript's regex engine auto converts \0068 and so on into their interpretation. So the problem with \ is less of a serious concern considering regex ought to be doing the conversions with or without the \u flag. Still, the value of having \ be in the CSS is not essential and potential issues don't outweight the gain. data: is to be explicitly blocked for everything.
Anonymous 07/26/22 (Tue) 21:56:27 No. 10442
new rules:if( /url\((?:"|'|)([^"'\)]*?)(?:"|'|)\)/gui.test( style_parts[1] ) ){ let url_match = /url\((?:"|'|)([^"'\)]*?)(?:"|'|)\)/gui.exec(style_parts[1]); let valid_url = /^\/(?!data|https)[a-z0-9\/]+\.(?!svg)[a-z]+$/ui.test(url_match[1]) || /^https:\/\/([a-z]+\.)?kissu.moe\/[a-z0-9\/]+\.(?!svg)[a-z]+$/ui.test(url_match[1]) ; if(!valid_url){ error_list.push({ [style_parts[0]] : "only-kissu-urls-allowed.eg-url(/qa/thumb/1638594960389.webp);"}); style_parts[1] = style_parts[1].replace( /url\((?:"|'|)([^"'\)]*?)(?:"|'|)\)/gui , "url('error')" ); } } // redundant, do not let URL create an exploit if(/(data:|\.svg|\\0)/gui.test(style_parts[1])){ error_list.push({ [style_parts[0]] : "potentially dangerous-markup-was-not-removed.Check-/(data:|\.svg|\0)/.terminating-rule"}); style_parts[1] = ""; }
Anonymous 07/26/22 (Tue) 22:01:50 No. 10443
forgot the negative lookahead (?!svg) on one of the validations, added that in. I'll leave \ disabled server side and have the client blocking \0 Will fix that style tags were case sensitive after I upload my current changes and wait a few hours. Client aborts parsing for given rule if data: is encountered
Anonymous 07/27/22 (Wed) 03:15:41 No. 10444 >>10445
>>10441 >Javascript's regex engine auto converts \0068 and so on into their interpretation. It should interpret \u0068 as h if it occurs in the regular expression. If \0068 occurs in the string being tested, there's no reason it would auto convert anything.
Anonymous 07/27/22 (Wed) 03:40:47 No. 10445
>>10444 guess I confused something with something else
Anonymous 11/13/22 (Sun) 20:57:50 No. 11004
Bumping this thread because it's good and I wish more people used the custom markup.
Anonymous 11/13/22 (Sun) 22:53:49 No. 11007
>>11006 font size:90px, that is.
px is for pixel
Anonymous 11/27/22 (Sun) 12:23:50 No. 11060 >>11061
[s glowgreen|font-size:48px]test[/s]
Anonymous 11/27/22 (Sun) 13:37:15 No. 11061
>>11060 that's not an expected result
Anonymous 11/27/22 (Sun) 13:52:30 No. 11064
Strange, you copy paste an HTML entity which means that it doesn't work as expected does not translate into a space
Anonymous 11/27/22 (Sun) 14:02:14 No. 11065
Issue resolved with copy pasting the OP, learned nbsp is not the same as whitespaceOh no, I guess this could be an issue
Anonymous 11/27/22 (Sun) 15:54:10 No. 11067
>>11066 it's because code blocks have a lot of their characters converted into HTML entities in order to prevent any markup being rendered inside of them
Anonymous 12/13/22 (Tue) 10:42:27 No. 11100
I appreciate everyone's restraint in not overdoing it with this site feature.
Anonymous 12/13/22 (Tue) 11:02:38 No. 11101
キタ━━━(゚∀゚)━━━!!
Anonymous 03/12/23 (Sun) 04:26:45 No. 11631
bump
Anonymous 03/12/23 (Sun) 04:28:15 No. 11632 >>11634
do you need the glowsomething for the font size to work...
Anonymous 03/12/23 (Sun) 04:29:53 No. 11633
i aint gonna teach you the easter eggs
Anonymous 03/12/23 (Sun) 04:34:40 No. 11634
>>11632 Nope, but I can't get it to work unless there's a | in front as if I was doing multiple things. I never bothered to learn how to do it otherwise