/lynxchan/ - LynxChan

The best engine you will ever shitpost with.

Keep threads on-topic.
Installation video tutorial
Vichan migration script


Max Message Length: 4096
Don't show location
Make sure I have a block bypass
Spoiler Max File Size: 1.00 MB
File Limit Per Post: 3
Remember to follow the rules .

Cat 01/04/2018 (Thu) 16:28:54 Id: d3100a [Preview] No. 505
Open file ( 83.88 KB 1273x518 XSS.png )

Cat 01/04/2018 (Thu) 19:34:45 Id: d5593f [Preview] No. 507
Will sanitize that on 2.0, but won't change on 1.9 unless I find a bug to justify 1.9.5.

While that is indeed a XSS, it can only afffect people inputting the url themselves.

Cat 01/05/2018 (Fri) 12:55:30 Id: d5593f [Preview] No. 508
You know, I think ill sanitize on 1.8 and 1.9 too.
If I handled CRSF, I should handle this too.

Cat 01/05/2018 (Fri) 21:00:45 Id: e7777e [Preview] No. 509
Обычная параша же.

Cat 01/05/2018 (Fri) 21:01:02 Id: e7777e [Preview] No. 510

Cat 01/05/2018 (Fri) 21:01:18 Id: e7777e [Preview] No. 511

Broken HTML generation OP 01/18/2018 (Thu) 17:44:42 Id: 61d67f [Preview] No. 517
Markdown links containing quoted text or quotes to posts generate invalid HTML. For example:

http://google.com/ class="quoteLink" href="/lynxchan/res/505.html#507">>>507
http://google.com/ class="quoteLink" href="/lynxchan/res/505.html#507">>>>/lynxchan/507

This could have security implications (the resulting HTML looks quite bad), but I cannot find a way to exploit it at first glance. Suggested fix:

diff --git a/src/be/engine/postingOps/common.js b/src/be/engine/postingOps/common.js
--- a/src/be/engine/postingOps/common.js
+++ b/src/be/engine/postingOps/common.js
@@ -471,9 +471,9 @@ exports.replaceMarkdown = function(message, posts, board, replaceCode, cb) {


- message = message.replace(/(http|https)\:\/\/\S+/g, function links(match) {
+ message = message.replace(/https?\:\/\/[^\s<>"]+/g, function links(match) {

- match = match.replace(/>/g, '&gt').replace(/[_='~*]/g,
+ match = match.replace(/[_='~*]/g,
function sanitization(innerMatch) {
return exports.linkSanitizationRelation[innerMatch];

Cat 01/19/2018 (Fri) 00:07:21 Id: 5a92bd [Preview] No. 518
ty, ill look into it

Cat 01/19/2018 (Fri) 12:00:05 Id: e7347a [Preview] No. 519
Fixed, all I had to do was to process links before quotes.

Fixed only on 2.0, I will fix on 1.8 and 1.9 if I find some way to exploit that.

But given how stuff is sanitized anyway, I don't think that would be possible.

Cat 01/22/2018 (Mon) 20:08:52 Id: 248a80 [Preview] No. 520

Testing Tester 01/28/2018 (Sun) 17:16:16 Id: 500963 [Preview] No. 523
Open file ( 554.91 KB 400x393 1093125a34d1c4e753c8c6776442aed3.gif )
Open file ( 10.78 KB 228x221 index.jpg )

Delete only files
Delete media (Actually removes the saved files from the server, standard file deletion only removes the reference to the selected posts)

Captcha(Used for reporting and bans by board staff): No cookies?