[ home / bans / all ] [ qa / jp / cry ] [ sum ] [ f / ec ] [ b / poll ] [ tv / bann ] [ toggle-new / tab ]

/b/ - Boson Technology

Also known as Boson /g/

New Reply

Options
Comment
File
Whitelist Token
Spoiler
Password (For file deletion.)
Markup tags exist for bold, itallics, header, spoiler etc. as listed in " [options] > View Formatting "


Nen Refugee Thread Please be kind and welcoming to nen friends!

[Return] [Bottom] [Catalog]

File:8d8f19abb4a8d0065c9c87584c….png (24.63 MB,3700x3500)

 No.10361

Oh no, I guess this could be an issue

[s glowgreen|font-size:48px]Oh no, I guess this could be an issue[/s]

 No.10362

File:[SubsPlease] Ochikobore Fr….jpg (138.16 KB,1280x720)

Seems fine to me!

 No.10364

wat

 No.10366

I keep forgetting custom markup is a thing, which is a shame, because I like the feature a lot.

 No.10367

File:[SubsPlease] Tokyo Mew Mew….jpg (252.17 KB,1280x720)

Still seems fine to me!
Very old forum-y. I once messed up a forum because I forgot to close a marquee tag and the site didn't have any safety thing for it so all the text on the screen scrolled. hehehe

 No.10368

><>
Golden fish

 No.10369

>>10368
Cute Golden fish

 No.10370

i will patch this sometime... I have restrictions(opacity and position) on the attribute override syntax, but obviously there are so many CSS rules that I'll forget a few things that will cause problems occasionally. But if no one is abusing it then I'll probably only target the really problematic ones such as invisible text. This styling doesn't show up on the vichan UI so it's not a problem to moderate, but might be tricky to see sometimes.

 No.10371

>>10370
The big thing you need to watch out for is stuff that loads content from external URLs, which is a privacy issue because it could be used to log IPs.

 No.10375

>>10371
doesn't work by design since the field doesn't allow for ( )
Though, explicitly disallowing external url is for the best.

 No.10422

>>10368
your fish kind of changed color...

 No.10423

I'm working out hypothetical issues with the feature and color changes are going to have to be restricted to dark themes(everything but kissu.css) since having a situation where some posters are preventing users of certain sheets from reading their posts is very problematic.

Likewise some ways to make text hidden or very unreadable on dark sheets will have to be removed.
I missed this too sigh

 No.10430

abawawa











abawawa

 No.10431

Will be allowing url to be used with relative domains only.
Various failsafes in the attribute override parsing will guarantee that there's never an HTTPS.

the following checks are made:
          if( /url\((?:"|'|)https?:\/\/(?:[^ ]+\.)?[^ ]+\.[^ ]+?(\/[^'"\)]+)?(?:"|'|)\)/gui.test( style_parts[1] ) ){
            error_list.push({ [style_parts[0]] :  "url-can-not-use-https.Use: url(/qa/thumb/1638594960389.webp);"});
            style_parts[1] = style_parts[1].replace( /url\((?:"|'|)https:\/\/(?:[^ ]+\.)?[^ ]+\.[^ ]+?(\/[^'"\)]+)?(?:"|'|)\)/gui , "url($1)" );
          }
          // redundant, do not let URL this create an exploit
          if(/https?/gi.test(style_parts[1])){
            error_list.push({ [style_parts[0]] :  "for-some-reason-https-was-not-removed...terminating-rule"});
            style_parts[1] = "unset";
          }

 No.10435

>>10431
You can get around a search for "https" by CSS escapes, like so:
\0068ttps

 No.10437

>>10435
\ still a forbidden character.
122
Worth examining and seeing if it gets through

 No.10438

>>10437
data: URIs could also be an issue, particularly if they're to something like SVG that can load subresources.

 No.10439

>>10438
It doesn't effect because I forgot to make the server handle case insensitive input.

very nice,

 No.10440

kind of complicated. Checking for HTTPS is the wrong approach apparently. Rather will have to force URLs to be relative

 No.10441

Javascript's regex engine auto converts \0068 and so on into their interpretation. So the problem with \ is less of a serious concern considering regex ought to be doing the conversions with or without the \u flag. Still, the value of having \ be in the CSS is not essential and potential issues don't outweight the gain.

data: is to be explicitly blocked for everything.

 No.10442

new rules:

if( /url\((?:"|'|)([^"'\)]*?)(?:"|'|)\)/gui.test( style_parts[1] ) ){
   let url_match = /url\((?:"|'|)([^"'\)]*?)(?:"|'|)\)/gui.exec(style_parts[1]);
   let valid_url = /^\/(?!data|https)[a-z0-9\/]+\.(?!svg)[a-z]+$/ui.test(url_match[1]) ||
              /^https:\/\/([a-z]+\.)?kissu.moe\/[a-z0-9\/]+\.(?!svg)[a-z]+$/ui.test(url_match[1]) ;
   if(!valid_url){
      error_list.push({ [style_parts[0]] :  "only-kissu-urls-allowed.eg-url(/qa/thumb/1638594960389.webp);"});
          style_parts[1] = style_parts[1].replace( /url\((?:"|'|)([^"'\)]*?)(?:"|'|)\)/gui , "url('error')" );
      }
    }
    // redundant, do not let URL create an exploit
if(/(data:|\.svg|\\0)/gui.test(style_parts[1])){
    error_list.push({ [style_parts[0]] :  "potentially dangerous-markup-was-not-removed.Check-/(data:|\.svg|\0)/.terminating-rule"});
    style_parts[1] = "";
}

 No.10443

forgot the negative lookahead (?!svg) on one of the validations, added that in.

I'll leave \ disabled server side and have the client blocking \0
Will fix that style tags were case sensitive after I upload my current changes and wait a few hours.
Client aborts parsing for given rule if data: is encountered

 No.10444

>>10441
>Javascript's regex engine auto converts \0068 and so on into their interpretation.
It should interpret \u0068 as h if it occurs in the regular expression. If \0068 occurs in the string being tested, there's no reason it would auto convert anything.

 No.10445

>>10444
guess I confused something with something else




[Return] [Top] [Catalog] [Post a Reply]
Delete Post [ ]

[ home / bans / all ] [ qa / jp / cry ] [ sum ] [ f / ec ] [ b / poll ] [ tv / bann ] [ toggle-new / tab ]