Skip to main content

Unknown parent

Philipp Holzer
We recently got an explanation about this issue per email, the root cause isn't a nice one...
Unknown parent

Unknown parent

Tek say vote
Oh, wow! I didn’t think any software would be *that* seriously broken. I’ll see about changing my profile tomorrow, but that means libranet has a major, major security flaw. I could tell it to load whatever JS code I wanted into your browser by setting my name appropriately.
in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

hm, @Steffen K9 🐰 which Friendica version do you use? I see @<script>alert("Tek");</script> posts with his "nickname" but no popup at all (the web-console doesn't show any errors too). I'm using the latest develop version of Friendica.
Unknown parent

Unknown parent

@Steffen K9 🐰 I'm seeing the popup. I'll clear some cookies and cache and stuff, see if that helps.
Unknown parent

Tek say vote
@nupplaphil Side note: I reported the issue to Friendica.
Unknown parent

Hypolite Petovan
@Steffen K9 🐰 @clacke: seeking 🇸🇪🇭🇰💙💛 I wasn’t able to reproduce the issue in the notification dropdown, I just fixed it in the notifications page. Can you please send me the HTML snippet of the dropdown so that I can submit a blind fix?
Unknown parent

Hypolite Petovan
@Steffen K9 🐰 @clacke: seeking 🇸🇪🇭🇰💙💛 Still need the HTML snippet for either display before your node updates the display name that was just changed.
in reply to Tek say vote

@<script>alert("Tek");</script> The changes are already merged upstream, we haven't released them yet, but they are available on the develop, which @Steffen K9 🐰 has pulled on libranet.de.
in reply to Hypolite Petovan

@hypolite Do me a favor? I would like to announce this, but not until people have had a chance to upgrade. Would you let me know if/when a notice has gone out?
in reply to Tek say vote

@<script>alert("Tek");</script> @Steffen K9 🐰 I would like to do an anticipated release, alongside another fix that has yet to be merged, and we will do the regular announcement then, giving you the credit for the find.
in reply to Hypolite Petovan

@hypolite BTW, yesterday I’d changed my name to be a rickroll instead of an alert. Today I changed it back for testing. Everything still OK?