/lynxchan/ - LynxChan

The best engine you will ever shitpost with.



Keep threads on-topic.
Roadmap
Installation video tutorial
Vichan migration script

Reply:



Max Message Length: 4096
Don't show location
Make sure I have a block bypass
Files:
Spoiler Max File Size: 1.00 MB
File Limit Per Post: 3
Remember to follow the rules .


Cat 01/04/2018 (Thu) 16:28:54 Id: d3100a No. 505
Open file ( 83.88 KB 1273x518 XSS.png )

Cat 01/04/2018 (Thu) 19:34:45 Id: d5593f No. 507
Will sanitize that on 2.0, but won't change on 1.9 unless I find a bug to justify 1.9.5.

While that is indeed a XSS, it can only afffect people inputting the url themselves.

Cat 01/05/2018 (Fri) 12:55:30 Id: d5593f No. 508
You know, I think ill sanitize on 1.8 and 1.9 too.
If I handled CRSF, I should handle this too.

Cat 01/05/2018 (Fri) 21:00:45 Id: e7777e No. 509
Обычная параша же.

Cat 01/05/2018 (Fri) 21:01:02 Id: e7777e No. 510
ептабля

Cat 01/05/2018 (Fri) 21:01:18 Id: e7777e No. 511
лолололол

Broken HTML generation OP 01/18/2018 (Thu) 17:44:42 Id: 61d67f No. 517
Markdown links containing quoted text or quotes to posts generate invalid HTML. For example:

http://google.com/>507
http://google.com/ class="quoteLink" href="/lynxchan/res/505.html#507">>>507
http://google.com/ class="quoteLink" href="/lynxchan/res/505.html#507">>>>/lynxchan/507

This could have security implications (the resulting HTML looks quite bad), but I cannot find a way to exploit it at first glance. Suggested fix:

diff --git a/src/be/engine/postingOps/common.js b/src/be/engine/postingOps/common.js
--- a/src/be/engine/postingOps/common.js
+++ b/src/be/engine/postingOps/common.js
@@ -471,9 +471,9 @@ exports.replaceMarkdown = function(message, posts, board, replaceCode, cb) {

});

- message = message.replace(/(http|https)\:\/\/\S+/g, function links(match) {
+ message = message.replace(/https?\:\/\/[^\s<>"]+/g, function links(match) {

- match = match.replace(/>/g, '&gt').replace(/[_='~*]/g,
+ match = match.replace(/[_='~*]/g,
function sanitization(innerMatch) {
return exports.linkSanitizationRelation[innerMatch];
});

Cat 01/19/2018 (Fri) 00:07:21 Id: 5a92bd No. 518
>>517
ty, ill look into it

Cat 01/19/2018 (Fri) 12:00:05 Id: e7347a No. 519
Fixed, all I had to do was to process links before quotes.

Fixed only on 2.0, I will fix on 1.8 and 1.9 if I find some way to exploit that.

But given how stuff is sanitized anyway, I don't think that would be possible.

Cat 01/22/2018 (Mon) 20:08:52 Id: 248a80 No. 520
test.

Testing Tester 01/28/2018 (Sun) 17:16:16 Id: 500963 No. 523
Open file ( 554.91 KB 400x393 1093125a34d1c4e753c8c6776442aed3.gif )
Open file ( 10.78 KB 228x221 index.jpg )
Test


Reason:
Password:
Global
Delete only files
Delete media (Actually removes the saved files from the server, standard file deletion only removes the reference to the selected posts)

Captcha(Used for reporting and bans by board staff): No cookies?