/lynxchan/ - LynxChan

The best engine you will ever shitpost with.



Keep threads on-topic.
Roadmap
Installation video tutorial
Vichan migration script

Reply:



Max Message Length: 4096
Don't show location
Make sure I have a block bypass
Files:
Spoiler Max File Size: 1.00 MB
File Limit Per Post: 3
Remember to follow the rules .


Cat 01/04/2018 (Thu) 16:28:54 Id: d3100a [Preview] No. 505
Open file ( 83.88 KB 1273x518 XSS.png )

Cat 01/04/2018 (Thu) 19:34:45 Id: d5593f [Preview] No. 507
Will sanitize that on 2.0, but won't change on 1.9 unless I find a bug to justify 1.9.5.

While that is indeed a XSS, it can only afffect people inputting the url themselves.

Cat 01/05/2018 (Fri) 12:55:30 Id: d5593f [Preview] No. 508
You know, I think ill sanitize on 1.8 and 1.9 too.
If I handled CRSF, I should handle this too.

Cat 01/05/2018 (Fri) 21:00:45 Id: e7777e [Preview] No. 509
Обычная параша же.

Cat 01/05/2018 (Fri) 21:01:02 Id: e7777e [Preview] No. 510
ептабля

Cat 01/05/2018 (Fri) 21:01:18 Id: e7777e [Preview] No. 511
лолололол

Broken HTML generation OP 01/18/2018 (Thu) 17:44:42 Id: 61d67f [Preview] No. 517
Markdown links containing quoted text or quotes to posts generate invalid HTML. For example:

http://google.com/>507
http://google.com/ class="quoteLink" href="/lynxchan/res/505.html#507">>>507
http://google.com/ class="quoteLink" href="/lynxchan/res/505.html#507">>>>/lynxchan/507

This could have security implications (the resulting HTML looks quite bad), but I cannot find a way to exploit it at first glance. Suggested fix:

diff --git a/src/be/engine/postingOps/common.js b/src/be/engine/postingOps/common.js
--- a/src/be/engine/postingOps/common.js
+++ b/src/be/engine/postingOps/common.js
@@ -471,9 +471,9 @@ exports.replaceMarkdown = function(message, posts, board, replaceCode, cb) {

});

- message = message.replace(/(http|https)\:\/\/\S+/g, function links(match) {
+ message = message.replace(/https?\:\/\/[^\s<>"]+/g, function links(match) {

- match = match.replace(/>/g, '&gt').replace(/[_='~*]/g,
+ match = match.replace(/[_='~*]/g,
function sanitization(innerMatch) {
return exports.linkSanitizationRelation[innerMatch];
});


Reason:
Password:
Global
Delete only files
Delete media (Actually removes the saved files from the server, standard file deletion only removes the reference to the selected posts)

Captcha(Used for reporting and bans by board staff): No cookies?