[ home / bans / all ] [ qa / jp ] [ aut / xmas ] [ f / ec ] [ b / poll ] [ tv / bann ] [ toggle-new / tab ]

/b/ - Boson Technology

Also known as Boson /g/

New Reply

Whitelist Token
Password (For file deletion.)
Markup tags exist for bold, itallics, header, spoiler etc. as listed in " [options] > View Formatting "

[Return] [Bottom] [Catalog]

File:8d8f19abb4a8d0065c9c87584c….png (24.63 MB,3700x3500)


Oh no, I guess this could be an issue

[s glowgreen|font-size:48px]Oh no, I guess this could be an issue[/s]


File:[SubsPlease] Ochikobore Fr….jpg (138.16 KB,1280x720)

Seems fine to me!




I keep forgetting custom markup is a thing, which is a shame, because I like the feature a lot.


File:[SubsPlease] Tokyo Mew Mew….jpg (252.17 KB,1280x720)

Still seems fine to me!
Very old forum-y. I once messed up a forum because I forgot to close a marquee tag and the site didn't have any safety thing for it so all the text on the screen scrolled. hehehe


Golden fish


Cute Golden fish


i will patch this sometime... I have restrictions(opacity and position) on the attribute override syntax, but obviously there are so many CSS rules that I'll forget a few things that will cause problems occasionally. But if no one is abusing it then I'll probably only target the really problematic ones such as invisible text. This styling doesn't show up on the vichan UI so it's not a problem to moderate, but might be tricky to see sometimes.


The big thing you need to watch out for is stuff that loads content from external URLs, which is a privacy issue because it could be used to log IPs.


doesn't work by design since the field doesn't allow for ( )
Though, explicitly disallowing external url is for the best.


your fish kind of changed color...


I'm working out hypothetical issues with the feature and color changes are going to have to be restricted to dark themes(everything but kissu.css) since having a situation where some posters are preventing users of certain sheets from reading their posts is very problematic.

Likewise some ways to make text hidden or very unreadable on dark sheets will have to be removed.
I missed this too sigh





Will be allowing url to be used with relative domains only.
Various failsafes in the attribute override parsing will guarantee that there's never an HTTPS.

the following checks are made:
if( /url\((?:"|'|)https?:\/\/(?:[^ ]+\.)?[^ ]+\.[^ ]+?(\/[^'"\)]+)?(?:"|'|)\)/gui.test( style_parts[1] ) ){
error_list.push({ [style_parts[0]] : "url-can-not-use-https.Use: url(/qa/thumb/1638594960389.webp);"});
style_parts[1] = style_parts[1].replace( /url\((?:"|'|)https:\/\/(?:[^ ]+\.)?[^ ]+\.[^ ]+?(\/[^'"\)]+)?(?:"|'|)\)/gui , "url($1)" );
// redundant, do not let URL this create an exploit
error_list.push({ [style_parts[0]] : "for-some-reason-https-was-not-removed...terminating-rule"});
style_parts[1] = "unset";


You can get around a search for "https" by CSS escapes, like so:


\ still a forbidden character.
Worth examining and seeing if it gets through


data: URIs could also be an issue, particularly if they're to something like SVG that can load subresources.


It doesn't effect because I forgot to make the server handle case insensitive input.

very nice,


kind of complicated. Checking for HTTPS is the wrong approach apparently. Rather will have to force URLs to be relative


Javascript's regex engine auto converts \0068 and so on into their interpretation. So the problem with \ is less of a serious concern considering regex ought to be doing the conversions with or without the \u flag. Still, the value of having \ be in the CSS is not essential and potential issues don't outweight the gain.

data: is to be explicitly blocked for everything.


new rules:

if( /url\((?:"|'|)([^"'\)]*?)(?:"|'|)\)/gui.test( style_parts[1] ) ){
let url_match = /url\((?:"|'|)([^"'\)]*?)(?:"|'|)\)/gui.exec(style_parts[1]);
let valid_url = /^\/(?!data|https)[a-z0-9\/]+\.(?!svg)[a-z]+$/ui.test(url_match[1]) ||
/^https:\/\/([a-z]+\.)?kissu.moe\/[a-z0-9\/]+\.(?!svg)[a-z]+$/ui.test(url_match[1]) ;
error_list.push({ [style_parts[0]] : "only-kissu-urls-allowed.eg-url(/qa/thumb/1638594960389.webp);"});
style_parts[1] = style_parts[1].replace( /url\((?:"|'|)([^"'\)]*?)(?:"|'|)\)/gui , "url('error')" );
// redundant, do not let URL create an exploit
error_list.push({ [style_parts[0]] : "potentially dangerous-markup-was-not-removed.Check-/(data:|\.svg|\0)/.terminating-rule"});
style_parts[1] = "";


forgot the negative lookahead (?!svg) on one of the validations, added that in.

I'll leave \ disabled server side and have the client blocking \0
Will fix that style tags were case sensitive after I upload my current changes and wait a few hours.
Client aborts parsing for given rule if data: is encountered


>Javascript's regex engine auto converts \0068 and so on into their interpretation.
It should interpret \u0068 as h if it occurs in the regular expression. If \0068 occurs in the string being tested, there's no reason it would auto convert anything.


guess I confused something with something else


Bumping this thread because it's good and I wish more people used the custom markup.


File:kuon dramatic speech.mp4 (120.21 KB,1280x720)

Thanks for reminding me, but this is easy to forget and I can't say I'll be able to memorize the methods this time, but this could still be fun even though I can't figure out how to use wingdings. Still, the ability to use the classic IMPACT font of image macros has potential I feel. It reminds me of older days. Maybe a guide should be written down somewhere so people could easily access it when they can't remember how to do it. If you want to change the font, you use font-family.
For this post I used "font-family" in addition to font-size, so it looked like "font size:90x;font family:impact"


font size:90px, that is.
px is for pixel


I really hope more people use it in the future. You can do really fun things with it.


[s glowgreen|font-size:48px]test[/s]


that's not an expected result


File:55c5c3d1ee.png (12.72 KB,495x380)

so strange, if you copy paste the code block section it's not actually a white space... What character did it even insert


Strange, you copy paste an HTML entity which means that it doesn't work as expected
&nbsp; does not translate into a space


Issue resolved with copy pasting the OP, learned nbsp is not the same as whitespace

Oh no, I guess this could be an issue


seems to be an issue or feature(?) of markdown preserving the look of whitespaces with html


it's because code blocks have a lot of their characters converted into HTML entities in order to prevent any markup being rendered inside of them


I appreciate everyone's restraint in not overdoing it with this site feature.






do you need the glowsomething for the font size to work...


i aint gonna teach you the easter eggs


Nope, but I can't get it to work unless there's a | in front as if I was doing multiple things. I never bothered to learn how to do it otherwise

[Return] [Top] [Catalog] [Post a Reply]
Delete Post [ ]

[ home / bans / all ] [ qa / jp ] [ aut / xmas ] [ f / ec ] [ b / poll ] [ tv / bann ] [ toggle-new / tab ]