Follow

uhhh cohost.org allows arbitrary html/css in posts?!?!?!?

can someone post <div style="position: fixed; top: 0; left: 0; height: 100vh; width: 100vw; background: black; color: white;">bogos binted</div>

lol

cohost 

1. create form element with a malicious POST request
2. create label for submit button
3. size label to cover the entire screen or some important ui element (the report button, for example)
4. ???
5. profit

yeah user supplied html/css whatever is funky and fresh and also a massive issue in so many ways

@f0x oh this website keeps getting better this is gonna be real good for accessibility

@pastelpunkbandit it's also a *massive* security vulnerability. Your post can easily overlap the entire page, overlapping/replacing UI elements etc. Like smh at least iframe your user content

@f0x oh,,, i was assuming it was gonna work with an iframe + clear indicator around that
guess not?!?!? that sounds rlly bad omg
do they at least stop you from putting js in there?

@pastelpunkbandit it's hard to tell what is/isn't possible without having an account, but it's not looking good..

@f0x I didn't use cohost and I don't know if I like them and I *also* think it's a bad idea but email basically works the same way: you sanitize scripts/style blocks/other stuff away and pray that CSP covers the rest

@charlag sure, gmail for example will strip a position: fixed so you can't overflow outside the email content section. I can't really tell if cohost strips anything since I don't have an account, but they seem to give users a lot of options so uhh, yeahh

imo there's also a big difference between clicking an email which then influences the screen, versus scrolling through a timeline where anything could show up (and mess with your cursor, for example)

cohost, Post contains Code 

@f0x apparently one needs an invite code to post so could you text this for me:

<img src="invalid.tld" onerror="alert(document.cookie)"/>

If it works they really messed up, which wouldn't surprise me considering none of the inputs on the sign up page have correct labels

cohost, Post contains Code 

@dysphoricunicorn i don't have an invite either hah, but it wouldn't surprise me much either

cohost, sickness in metaphor 

@f0x you could also do fun things like search for all boost buttons on a page and auto click them, making the post propagate virally

cohost, sickness in metaphor 

@dysphoricunicorn yes, like the tweetdeck xss self-boosting tweet :D

Sign in to participate in the conversation
Pixietown

Small server part of the pixie.town infrastructure. Registration is closed.