Skip to content
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Vice)   New Tumblr-like social media site channels MySpace, allows users to add unsanitized HTML to usernames and posts   (vice.com) divider line
    More: Fail, HTML, users of the new social media website, JavaScript, Cross-site scripting, Social media, HTML element, User, HTML code  
•       •       •

699 clicks; posted to STEM » on 27 Jan 2021 at 5:02 AM (15 weeks ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook



11 Comments     (+0 »)
View Voting Results: Smartest and Funniest
 
ZAZ [TotalFark]
2021-01-27 3:36:28 AM  
When I worked for a company with a web UI we hired hackers to look for exploits like the ones described in the article. It was difficult for us to get the coding right because there was not a consistent internal representation of strings as safe or unsafe, encoded or unencoded.
 
2021-01-27 5:07:07 AM  
Obligatory - let's get it out of the way

Fark user imageView Full Size
 
2021-01-27 5:31:46 AM  

ZAZ: When I worked for a company with a web UI we hired hackers to look for exploits like the ones described in the article. It was difficult for us to get the coding right because there was not a consistent internal representation of strings as safe or unsafe, encoded or unencoded.


What's the difficulty?  All strings should be treated exactly the same way: With great suspicion.  Doubly so for anything that could possibly have user input in it.  Never trust the client.
 
2021-01-27 5:45:45 AM  

LrdPhoenix: ZAZ: When I worked for a company with a web UI we hired hackers to look for exploits like the ones described in the article. It was difficult for us to get the coding right because there was not a consistent internal representation of strings as safe or unsafe, encoded or unencoded.

What's the difficulty?  All strings should be treated exactly the same way: With great suspicion.  Doubly so for anything that could possibly have user input in it.  Never trust the client.


With great suspicion?  What the hell is the matter with you?  That's nuts, you shouldn't be allowed to work with this stuff!  :(

/the proper answer of course is, "All strings should be treated exactly the same way: with a flamethrower."
//and a hydrochloric acid bath for the remains
//burial in a deconsecrated graveyard guarded by the re-animated and enslaved eternally vigilant skeletons of DMV clerks is reccomended
 
2021-01-27 7:26:34 AM  
> and our developer team already sanitized for unwanted HTML elements,

No they didn't. You think they did, but they didn't. You can't sanitize HTML as effectively as you want, you have to create a parser for your allowed subset of HTML that rejects input that doesn't parse under those conditions. Which is wildly different than "sanitizing" inputs, which usually means you ran a regex to replace all the symbols you don't like.
 
2021-01-27 9:24:50 AM  
Pillowfort, a new Tumblr-like social media site...

Could they signal "we're a 'safe space' for all you special snowflakes" any harder?
 
2021-01-27 9:32:04 AM  

Mouser: Pillowfort, a new Tumblr-like social media site...

Could they signal "we're a 'safe space' for all you special snowflakes" any harder?


Yeah, get the MyPillow guy to sponsor it.
 
ZAZ [TotalFark]
2021-01-27 9:34:59 AM  
LrdPhoenix

The problem is you don't want the UI to display raw HTML codes, which is what happens if you are too aggressive. My inclination would be to declare a variant type like,
type String = Raw of string | Encoded of string | Sanitized of string

which could work with a monolithic process but we were using a mix of server side Java and C++ and client side JavaScript. And it still could have been done but there would be more places to get it wrong.
 
2021-01-27 9:43:27 AM  
Start all posts with <BLINK>, and don't put a </BLINK> at the end....
 
2021-01-27 2:10:47 PM  

Mouser: Pillowfort, a new Tumblr-like social media site...

Could they signal "we're a 'safe space' for all you special snowflakes" any harder?


I thought Tumblr already was that, especially since the weird attempt to purge adult content.

To imagine an even more concentrated [safe space|echo chamber] is not easy to do. Is it a subset? Like you don't have to deal with any pesky other races or genders or something? I guess something catering to a very specific demographic might be able to make the Tumblr experience even fluffier.
 
2021-01-27 6:50:07 PM  

LrdPhoenix: ZAZ: When I worked for a company with a web UI we hired hackers to look for exploits like the ones described in the article. It was difficult for us to get the coding right because there was not a consistent internal representation of strings as safe or unsafe, encoded or unencoded.

What's the difficulty?  All strings should be treated exactly the same way: With great suspicion.  Doubly so for anything that could possibly have user input in it.  Never trust the client.


"Never Ever Trust Any User-Provided Input Without Validating It" was a lesson I learned in CS100.
In the 1970s.
The main differences between then and now are that you don't need a keypunch to enter malformed input, and there are lots more tools for both cleaning up input and generating malicious input, and lots more people who can do lots more interesting things if they compromise your systems, but otherwise?  Plus ça change.

(We were more looking at scenarios like <i>"A Software Quality Engineer walks into a bar, orders a beer. Orders 0 beers. Orders 32768 beers. Orders -1 beers.  Orders -2i beers. Orders a lizard. Orders an order of beers. Orders an order of fries.  Orders a bartender.  Walks out. Doesn't close the door. Or the parentheses. Takes my $20 bill and vanishes in the air.")
 
Displayed 11 of 11 comments

View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking





On Twitter



  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.