fuchsiaaaaaaaaaaaaaaaaa
uhhh cohost.org allows arbitrary html/css in posts?!?!?!?
can someone post <div style="position: fixed; top: 0; left: 0; height: 100vh; width: 100vw; background: black; color: white;">bogos binted</div>
lol
...loading from cdn.discordapp.com
cohost
1. create form element with a malicious POST request
2. create label for submit button
3. size label to cover the entire screen or some important ui element (the report button, for example)
4. ???
5. profit
yeah user supplied html/css whatever is funky and fresh and also a massive issue in so many ways
@f0x I didn't use cohost and I don't know if I like them and I *also* think it's a bad idea but email basically works the same way: you sanitize scripts/style blocks/other stuff away and pray that CSP covers the rest
@charlag sure, gmail for example will strip a position: fixed so you can't overflow outside the email content section. I can't really tell if cohost strips anything since I don't have an account, but they seem to give users a lot of options so uhh, yeahh
imo there's also a big difference between clicking an email which then influences the screen, versus scrolling through a timeline where anything could show up (and mess with your cursor, for example)
