So the display name is properly filtered in messages, it's just following or having the name in one's notifications that causes the unfiltered name to be output.
Oh, wow! I didn’t think any software would be *that* seriously broken. I’ll see about changing my profile tomorrow, but that means libranet has a major, major security flaw. I could tell it to load whatever JS code I wanted into your browser by setting my name appropriately.
@<script>alert("Tek");</script> The issue has been brought to attention. It would improve the Fedi experience of me and many others if we didn't have to see this on every page load. Thank you.
hm, @Steffen K9 🐰 which Friendica version do you use? I see @<script>alert("Tek");</script> posts with his "nickname" but no popup at all (the web-console doesn't show any errors too). I'm using the latest develop version of Friendica.
This is Friendica, version 2023.04-1 that is running at the web location libranet.de. The database version is 1518/1518, the post update version is 1507/1507.
@Steffen K9 🐰 @clacke: seeking 🇸🇪🇭🇰💙💛 I wasn’t able to reproduce the issue in the notification dropdown, I just fixed it in the notifications page. Can you please send me the HTML snippet of the dropdown so that I can submit a blind fix?
Wow, thank you everyone for this quick response, it's been impressive, and thank you @<script>alert("Tek");</script> for doing unusual things with your display name to uncover this. =)
@lnxw48a1@nu.federati.net @jakob @nupplaphil @hypolite @heluecht Well done, gang! Anyone have friends on the Friendica project who can merge the changes upstream?
@<script>alert("Tek");</script> The changes are already merged upstream, we haven't released them yet, but they are available on the develop, which @Steffen K9 🐰 has pulled on libranet.de.
@hypolite Do me a favor? I would like to announce this, but not until people have had a chance to upgrade. Would you let me know if/when a notice has gone out?
@<script>alert("Tek");</script> @Steffen K9 🐰 I would like to do an anticipated release, alongside another fix that has yet to be merged, and we will do the regular announcement then, giving you the credit for the find.
Philipp Holzer
Unknown parent • •Philipp Holzer
in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 • — (Vienna) •clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
in reply to Philipp Holzer • • •clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 • • •Nope, I'm wrong. Going to libranet.de/display/f1417ed3-2… or friendica.philipp.info/display… in incognito mode doesn't cause the alert.
So the display name is properly filtered in messages, it's just following or having the name in one's notifications that causes the unfiltered name to be output.
Philipp Holzer
2023-05-14 09:34:26
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
Unknown parent • • •clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
Unknown parent • • •Philipp Holzer likes this.
Tek say vote
Unknown parent • • •clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 • • •Philipp Holzer
in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 • •clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
in reply to Philipp Holzer • • •@Philipp Holzer libranet.de/friendica
@Steffen K9 🐰
Philipp Holzer
in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 • •Hypolite Petovan
in reply to Philipp Holzer • • •Philipp Holzer
in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 • •clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
Tek say vote
in reply to Philipp Holzer • • •like this
Hypolite Petovan and clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 like this.
Tek say vote
in reply to Philipp Holzer • • •Hypolite Petovan likes this.
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
Unknown parent • • •clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
Unknown parent • • •clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 • • •Tek say vote
Unknown parent • • •like this
Hypolite Petovan, clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 and Philipp Holzer like this.
Hypolite Petovan
Unknown parent • • •Hypolite Petovan
Unknown parent • • •Hypolite Petovan
Unknown parent • • •/pingcall?Hypolite Petovan
Unknown parent • • •Philipp Holzer
in reply to Hypolite Petovan • •Philipp Holzer
in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 • •like this
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
Hypolite Petovan
in reply to Philipp Holzer • • •Hypolite Petovan
Unknown parent • • •clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
Unknown parent • • •Wow, thank you everyone for this quick response, it's been impressive, and thank you @<script>alert("Tek");</script> for doing unusual things with your display name to uncover this. =)
@Steffen K9 🐰 @LinuxWalt (@lnxw48a1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864} @𝗝𝗮𝗸𝗼𝗯 :𝗳𝗿𝗶𝗲𝗻𝗱𝗶𝗰𝗮: 🇦🇹 ✅ @Philipp Holzer @Hypolite Petovan @Michael Vogel
like this
Hypolite Petovan and LinuxWalt (@lnxw48a1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864} like this.
Tek say vote
in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 • • •Hypolite Petovan
in reply to Tek say vote • • •develop, which @Steffen K9 🐰 has pulled onlibranet.de.Tek say vote
in reply to Hypolite Petovan • • •Tek say vote
in reply to Hypolite Petovan • • •like this
Hypolite Petovan and clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 like this.
Hypolite Petovan
in reply to Tek say vote • • •clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
Tek say vote
in reply to Hypolite Petovan • • •like this
Hypolite Petovan and clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 like this.
Tek say vote
in reply to Hypolite Petovan • • •Hypolite Petovan likes this.
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
in reply to Tek say vote • • •@<script>alert("Tek");</script> I wasn't rickrolled (except voluntarily) and I'm not seeing alerts.
@Hypolite Petovan @Steffen K9 🐰
Philipp Holzer likes this.
Tek say vote
in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 • • •