uhhh cohost.org allows arbitrary html/css in posts?!?!?!?
@f0x oh this website keeps getting better this is gonna be real good for accessibility
@pastelpunkbandit it's also a *massive* security vulnerability. Your post can easily overlap the entire page, overlapping/replacing UI elements etc. Like smh at least iframe your user content
@f0x oh,,, i was assuming it was gonna work with an iframe + clear indicator around that
guess not?!?!? that sounds rlly bad omg
do they at least stop you from putting js in there?
@pastelpunkbandit it's hard to tell what is/isn't possible without having an account, but it's not looking good..
@f0x I didn't use cohost and I don't know if I like them and I *also* think it's a bad idea but email basically works the same way: you sanitize scripts/style blocks/other stuff away and pray that CSP covers the rest
@charlag sure, gmail for example will strip a position: fixed so you can't overflow outside the email content section. I can't really tell if cohost strips anything since I don't have an account, but they seem to give users a lot of options so uhh, yeahh
imo there's also a big difference between clicking an email which then influences the screen, versus scrolling through a timeline where anything could show up (and mess with your cursor, for example)
cohost, Post contains Code
@f0x apparently one needs an invite code to post so could you text this for me:
<img src="invalid.tld" onerror="alert(document.cookie)"/>
If it works they really messed up, which wouldn't surprise me considering none of the inputs on the sign up page have correct labels
cohost, Post contains Code
@dysphoricunicorn i don't have an invite either hah, but it wouldn't surprise me much either
cohost, Post contains Code
@f0x oh, that's a shame :/
cohost, sickness in metaphor
@f0x you could also do fun things like search for all boost buttons on a page and auto click them, making the post propagate virally
cohost, sickness in metaphor
@dysphoricunicorn yes, like the tweetdeck xss self-boosting tweet :D
can someone post <div style="position: fixed; top: 0; left: 0; height: 100vh; width: 100vw; background: black; color: white;">bogos binted</div>
lol