fuchsiaaaaaaaaaaaaaaaaa
uhhh cohost.org allows arbitrary html/css in posts?!?!?!?
can someone post <div style="position: fixed; top: 0; left: 0; height: 100vh; width: 100vw; background: black; color: white;">bogos binted</div>
lol
...loading from cdn.discordapp.com
cohost
1. create form element with a malicious POST request
2. create label for submit button
3. size label to cover the entire screen or some important ui element (the report button, for example)
4. ???
5. profit
@f0x I didn't use cohost and I don't know if I like them and I *also* think it's a bad idea but email basically works the same way: you sanitize scripts/style blocks/other stuff away and pray that CSP covers the rest
@charlag sure, gmail for example will strip a position: fixed so you can't overflow outside the email content section. I can't really tell if cohost strips anything since I don't have an account, but they seem to give users a lot of options so uhh, yeahh
imo there's also a big difference between clicking an email which then influences the screen, versus scrolling through a timeline where anything could show up (and mess with your cursor, for example)
cohost, Post contains Code
@f0x apparently one needs an invite code to post so could you text this for me:
<img src="invalid.tld" onerror="alert(document.cookie)"/>
If it works they really messed up, which wouldn't surprise me considering none of the inputs on the sign up page have correct labels
cohost, Post contains Code
@dysphoricunicorn i don't have an invite either hah, but it wouldn't surprise me much either
cohost, Post contains Code
@f0x oh, that's a shame :/
cohost, sickness in metaphor
@f0x you could also do fun things like search for all boost buttons on a page and auto click them, making the post propagate virally
cohost, sickness in metaphor
@dysphoricunicorn yes, like the tweetdeck xss self-boosting tweet :D
yeah user supplied html/css whatever is funky and fresh and also a massive issue in so many ways