[ home / bans / all ] [ qa / jp ] [ win / xmas ] [ f / ec ] [ b / poll ] [ tv / bann ] [ toggle-new / tab ]

/b/ - Boson Technology

Also known as Boson /g/

New Reply

Options
Comment
File
Whitelist Token
Spoiler
Password (For file deletion.)
Markup tags exist for bold, itallics, header, spoiler etc. as listed in " [options] > View Formatting "


[Return] [Bottom] [Catalog]

File:8d8f19abb4a8d0065c9c87584c….png (24.63 MB,3700x3500)

 No.10361

Oh no, I guess this could be an issue

[s glowgreen|font-size:48px]Oh no, I guess this could be an issue[/s]

 No.10362

File:[SubsPlease] Ochikobore Fr….jpg (138.16 KB,1280x720)

Seems fine to me!

 No.10364

wat

 No.10366

I keep forgetting custom markup is a thing, which is a shame, because I like the feature a lot.

 No.10367

File:[SubsPlease] Tokyo Mew Mew….jpg (252.17 KB,1280x720)

Still seems fine to me!
Very old forum-y. I once messed up a forum because I forgot to close a marquee tag and the site didn't have any safety thing for it so all the text on the screen scrolled. hehehe

 No.10368

><>
Golden fish

 No.10369

>>10368
Cute Golden fish

 No.10370

i will patch this sometime... I have restrictions(opacity and position) on the attribute override syntax, but obviously there are so many CSS rules that I'll forget a few things that will cause problems occasionally. But if no one is abusing it then I'll probably only target the really problematic ones such as invisible text. This styling doesn't show up on the vichan UI so it's not a problem to moderate, but might be tricky to see sometimes.

 No.10371

>>10370
The big thing you need to watch out for is stuff that loads content from external URLs, which is a privacy issue because it could be used to log IPs.

 No.10375

>>10371
doesn't work by design since the field doesn't allow for ( )
Though, explicitly disallowing external url is for the best.

 No.10422

>>10368
your fish kind of changed color...

 No.10423

I'm working out hypothetical issues with the feature and color changes are going to have to be restricted to dark themes(everything but kissu.css) since having a situation where some posters are preventing users of certain sheets from reading their posts is very problematic.

Likewise some ways to make text hidden or very unreadable on dark sheets will have to be removed.
I missed this too sigh

 No.10430

abawawa











abawawa

 No.10431

Will be allowing url to be used with relative domains only.
Various failsafes in the attribute override parsing will guarantee that there's never an HTTPS.

the following checks are made:
if( /url\((?:"|'|)https?:\/\/(?:[^ ]+\.)?[^ ]+\.[^ ]+?(\/[^'"\)]+)?(?:"|'|)\)/gui.test( style_parts[1] ) ){
error_list.push({ [style_parts[0]] : "url-can-not-use-https.Use: url(/qa/thumb/1638594960389.webp);"});
style_parts[1] = style_parts[1].replace( /url\((?:"|'|)https:\/\/(?:[^ ]+\.)?[^ ]+\.[^ ]+?(\/[^'"\)]+)?(?:"|'|)\)/gui , "url($1)" );
}
// redundant, do not let URL this create an exploit
if(/https?/gi.test(style_parts[1])){
error_list.push({ [style_parts[0]] : "for-some-reason-https-was-not-removed...terminating-rule"});
style_parts[1] = "unset";
}

 No.10435

>>10431
You can get around a search for "https" by CSS escapes, like so:
\0068ttps

 No.10437

>>10435
\ still a forbidden character.
122
Worth examining and seeing if it gets through

 No.10438

>>10437
data: URIs could also be an issue, particularly if they're to something like SVG that can load subresources.

 No.10439

>>10438
It doesn't effect because I forgot to make the server handle case insensitive input.

very nice,

 No.10440

kind of complicated. Checking for HTTPS is the wrong approach apparently. Rather will have to force URLs to be relative

 No.10441

Javascript's regex engine auto converts \0068 and so on into their interpretation. So the problem with \ is less of a serious concern considering regex ought to be doing the conversions with or without the \u flag. Still, the value of having \ be in the CSS is not essential and potential issues don't outweight the gain.

data: is to be explicitly blocked for everything.

 No.10442

new rules:

if( /url\((?:"|'|)([^"'\)]*?)(?:"|'|)\)/gui.test( style_parts[1] ) ){
let url_match = /url\((?:"|'|)([^"'\)]*?)(?:"|'|)\)/gui.exec(style_parts[1]);
let valid_url = /^\/(?!data|https)[a-z0-9\/]+\.(?!svg)[a-z]+$/ui.test(url_match[1]) ||
/^https:\/\/([a-z]+\.)?kissu.moe\/[a-z0-9\/]+\.(?!svg)[a-z]+$/ui.test(url_match[1]) ;
if(!valid_url){
error_list.push({ [style_parts[0]] : "only-kissu-urls-allowed.eg-url(/qa/thumb/1638594960389.webp);"});
style_parts[1] = style_parts[1].replace( /url\((?:"|'|)([^"'\)]*?)(?:"|'|)\)/gui , "url('error')" );
}
}
// redundant, do not let URL create an exploit
if(/(data:|\.svg|\\0)/gui.test(style_parts[1])){
error_list.push({ [style_parts[0]] : "potentially dangerous-markup-was-not-removed.Check-/(data:|\.svg|\0)/.terminating-rule"});
style_parts[1] = "";
}

 No.10443

forgot the negative lookahead (?!svg) on one of the validations, added that in.

I'll leave \ disabled server side and have the client blocking \0
Will fix that style tags were case sensitive after I upload my current changes and wait a few hours.
Client aborts parsing for given rule if data: is encountered

 No.10444

>>10441
>Javascript's regex engine auto converts \0068 and so on into their interpretation.
It should interpret \u0068 as h if it occurs in the regular expression. If \0068 occurs in the string being tested, there's no reason it would auto convert anything.

 No.10445

>>10444
guess I confused something with something else

 No.11004

Bumping this thread because it's good and I wish more people used the custom markup.

 No.11006

File:kuon dramatic speech.mp4 (120.21 KB,1280x720)

Thanks for reminding me, but this is easy to forget and I can't say I'll be able to memorize the methods this time, but this could still be fun even though I can't figure out how to use wingdings. Still, the ability to use the classic IMPACT font of image macros has potential I feel. It reminds me of older days. Maybe a guide should be written down somewhere so people could easily access it when they can't remember how to do it. If you want to change the font, you use font-family.
For this post I used "font-family" in addition to font-size, so it looked like "font size:90x;font family:impact"

 No.11007

>>11006
font size:90px, that is.
px is for pixel

 No.11008

>>11006
I really hope more people use it in the future. You can do really fun things with it.

 No.11060

[s glowgreen|font-size:48px]test[/s]

 No.11061

>>11060
that's not an expected result

 No.11063

File:55c5c3d1ee.png (12.72 KB,495x380)

so strange, if you copy paste the code block section it's not actually a white space... What character did it even insert

 No.11064

Strange, you copy paste an HTML entity which means that it doesn't work as expected
&nbsp; does not translate into a space

 No.11065

Issue resolved with copy pasting the OP, learned nbsp is not the same as whitespace

Oh no, I guess this could be an issue

 No.11066

>>11063
seems to be an issue or feature(?) of markdown preserving the look of whitespaces with html
https://stackoverflow.com/questions/15721373/how-do-i-ensure-that-whitespace-is-preserved-in-markdown

 No.11067

>>11066
it's because code blocks have a lot of their characters converted into HTML entities in order to prevent any markup being rendered inside of them

 No.11100

I appreciate everyone's restraint in not overdoing it with this site feature.

 No.11101

キタ━━━(゚∀゚)━━━!!




[Return] [Top] [Catalog] [Post a Reply]
Delete Post [ ]

[ home / bans / all ] [ qa / jp ] [ win / xmas ] [ f / ec ] [ b / poll ] [ tv / bann ] [ toggle-new / tab ]