clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

clacke@libranet.de

Flawesome. GNU/Linux is my daily driver OS since 1995. On Fedi since 2008. Working in Racket, Tcl, Python, whatever gets the page up. Solving yesterday's problems tomorrow. A dad. Freddie Mercury is my spiritual advisor.

web.archive.org/web/1/pronoun.…

Every post of mine is an open invitation to advice or information or critique or disagreement unless I say otherwise. Fire away. If I don't appreciate your contribution, I'll let you know.

My soundcloud is hackerpublicradio.org/correspo… and my patreon is sfconservancy.org/donate/ .

I don't represent Software Freedom Conservancy in any way, I just like what they do with the money I give them.

Unless stated otherwise, all posts CC-by-SA 4.0 International, including any media authored by me included in the posts. Any media from elsewhere whatever terms their author specifies.

This is my main account.

This is not my final form.

friendica

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

2 years ago

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
2 years ago

@Steffen K9 🐰 I get popups from libranet that say "Tek". A lot.

@Steffen K9 🐰

Unknown parent

Philipp Holzer

Unknown parent 2 years ago

We recently got an explanation about this issue per email, the root cause isn't a nice one...

in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

Philipp Holzer

in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 2 years ago — (Vienna)

@clacke: seeking 🇸🇪🇭🇰💙💛 when do you get these popups? Can you paste the URL please. Thanks :)

@Nextcloud User Forum

in reply to Philipp Holzer

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

in reply to Philipp Holzer 2 years ago

@Philipp Holzer Go to this very conversation, or follow @<script>alert("Tek");</script> .

@Philipp Holzer @Tekniquelly correct

in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 2 years ago

Nope, I'm wrong. Going to libranet.de/display/f1417ed3-2… or friendica.philipp.info/display… in incognito mode doesn't cause the alert.

So the display name is properly filtered in messages, it's just following or having the name in one's notifications that causes the unfiltered name to be output.

Philipp Holzer

2023-05-14 09:34:26

@clacke: seeking 🇸🇪🇭🇰💙💛 when do you get these popups? Can you paste the URL please. Thanks :)
LIBRANET.de | clacke: seeking 🇸🇪🇭🇰💙💛 @ LIBRANET.de

This entry was edited (2 years ago)

Unknown parent

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

Unknown parent 2 years ago

@LinuxWalt (@lnxw48a1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864} Oh! Thanks. That's an injection that really shouldn't be allowed past the filters. Maybe that's the point being made.

@LinuxWalt (@lnxw48a1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864}

Unknown parent

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

Unknown parent 2 years ago

Pulling this comment into @Philipp Holzer 's server.

@Philipp Holzer

Philipp Holzer likes this.

in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 2 years ago

@<script>alert("Tek");</script> The issue has been brought to attention. It would improve the Fedi experience of me and many others if we didn't have to see this on every page load. Thank you.

@Tekniquelly correct

in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

Philipp Holzer

in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 2 years ago

hm, @Steffen K9 🐰 which Friendica version do you use? I see @<script>alert("Tek");</script> posts with his "nickname" but no popup at all (the web-console doesn't show any errors too). I'm using the latest develop version of Friendica.

@Steffen K9 🐰 @Tekniquelly correct

in reply to Philipp Holzer

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

in reply to Philipp Holzer 2 years ago

@Philipp Holzer libranet.de/friendica

This is Friendica, version 2023.04-1 that is running at the web location libranet.de. The database version is 1518/1518, the post update version is 1507/1507.

@Steffen K9 🐰

@Philipp Holzer @Steffen K9 🐰

in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

Philipp Holzer

in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 2 years ago

@Hypolite Petovan / @Michael Vogel - Do you see any popups? If we really execute nickname scripts, this would be a serious security issue ..

@Hypolite Petovan @Michael 🇺🇦

in reply to Philipp Holzer

Hypolite Petovan

in reply to Philipp Holzer 2 years ago

@Philipp Holzer @Michael Vogel @Steffen K9 🐰 Apparently @clacke: seeking 🇸🇪🇭🇰💙💛 suggested it’s either in the notifications or the follow process. The notifications have a convoluted JS template system, I’d look into that.

@Philipp Holzer @Steffen K9 🐰 @Michael 🇺🇦 @clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

Philipp Holzer

in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 2 years ago

@<script>alert("Tek");</script> can you mention me anywhere and directly post anything in my timeline too? thanks :)

@Tekniquelly correct

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.

Unknown parent

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

Unknown parent 2 years ago

@Steffen K9 🐰 Destroyed site data, logged in again, still seeing it.

@Steffen K9 🐰

Unknown parent

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

Unknown parent 2 years ago

@Steffen K9 🐰 I'm seeing the popup. I'll clear some cookies and cache and stuff, see if that helps.

@Steffen K9 🐰

in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 2 years ago

@Steffen K9 🐰 It's coming from the notifications dropdown. The popup happens when that is populated.

@Steffen K9 🐰

Unknown parent

Hypolite Petovan

Unknown parent 2 years ago

@Steffen K9 🐰 @clacke: seeking 🇸🇪🇭🇰💙💛 I wasn’t able to reproduce the issue in the notification dropdown, I just fixed it in the notifications page. Can you please send me the HTML snippet of the dropdown so that I can submit a blind fix?

@Steffen K9 🐰 @clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

Unknown parent

Hypolite Petovan

Unknown parent 2 years ago

@Steffen K9 🐰 @clacke: seeking 🇸🇪🇭🇰💙💛 Still need the HTML snippet for either display before your node updates the display name that was just changed.

@Steffen K9 🐰 @clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

Unknown parent

Hypolite Petovan

Unknown parent 2 years ago

@Steffen K9 🐰 @clacke: seeking 🇸🇪🇭🇰💙💛 How about the output of the recurring /ping call?

@Steffen K9 🐰 @clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

Unknown parent

Hypolite Petovan

Unknown parent 2 years ago

@Steffen K9 🐰 @clacke: seeking 🇸🇪🇭🇰💙💛 Thank you, it should be enough!

@Steffen K9 🐰 @clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

in reply to Hypolite Petovan

Philipp Holzer

in reply to Hypolite Petovan 2 years ago

@Hypolite Petovan - found it too and added a test too - plz have a look at github.com/friendica/friendica…

@Hypolite Petovan

in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

Philipp Holzer

in reply to clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 2 years ago

@Steffen K9 🐰 - merged, at least on my local node, the popups are gone

@Steffen K9 🐰

like this

in reply to Philipp Holzer

Hypolite Petovan

in reply to Philipp Holzer 2 years ago

@Philipp Holzer @Steffen K9 🐰 @clacke: seeking 🇸🇪🇭🇰💙💛 Nice, I wasn't sure the same fix I came up with would have worked because I couldn't reproduce it on my nodes.

@Philipp Holzer @Steffen K9 🐰 @clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

Unknown parent

Hypolite Petovan

Unknown parent 2 years ago

@Steffen K9 🐰 @clacke: seeking 🇸🇪🇭🇰💙💛 Please send flowers to @𝗝𝗮𝗸𝗼𝗯 :𝗳𝗿𝗶𝗲𝗻𝗱𝗶𝗰𝗮: 🇦🇹 ✅ , he deserves them.

@Steffen K9 🐰 @clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 @jakob 🇦🇹 ✅

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.

Unknown parent

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

Unknown parent 2 years ago

Wow, thank you everyone for this quick response, it's been impressive, and thank you @<script>alert("Tek");</script> for doing unusual things with your display name to uncover this. =)

@Steffen K9 🐰 @LinuxWalt (@lnxw48a1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864} @𝗝𝗮𝗸𝗼𝗯 :𝗳𝗿𝗶𝗲𝗻𝗱𝗶𝗰𝗮: 🇦🇹 ✅ @Philipp Holzer @Hypolite Petovan @Michael Vogel

@Philipp Holzer @Hypolite Petovan @Steffen K9 🐰 @Michael 🇺🇦 @LinuxWalt (@lnxw48a1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864} @Tekniquelly correct @jakob 🇦🇹 ✅

like this

Unknown parent

Hypolite Petovan

Unknown parent 2 years ago

@<script>alert("Tek");</script> The changes are already merged upstream, we haven't released them yet, but they are available on the develop, which @Steffen K9 🐰 has pulled on libranet.de.

@Steffen K9 🐰 @Tekniquelly correct

Unknown parent

Hypolite Petovan

Unknown parent 2 years ago

@<script>alert("Tek");</script> @Steffen K9 🐰 I would like to do an anticipated release, alongside another fix that has yet to be merged, and we will do the regular announcement then, giving you the credit for the find.

@Steffen K9 🐰 @Tekniquelly correct

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.

Unknown parent

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛

Unknown parent 2 years ago

@<script>alert("Tek");</script> I wasn't rickrolled (except voluntarily) and I'm not seeing alerts.

@Hypolite Petovan @Steffen K9 🐰

@Hypolite Petovan @Steffen K9 🐰 @Tekniquelly correct

Philipp Holzer likes this.

⇧

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 2 years ago • •

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛
2 years ago