Future page/action in the works?

tethrarxitet · March 13, 2024, 5:00pm

I'm just browsing through the community's collections and an idea popped in my head... if there's a username URL parameter on one page, how about I test it somewhere else?

So I tried it and this popped up.

Unfortunately, it's not very functional, and it still shows everyone's published collections.
A group of other people's collections.

It also works with the Explore tab, however that doesn't show that user's projects.

It looks like the website handles it well, since moving to a new page still keeps the username parameter.

Is this a new page function in the works?

bh · March 13, 2024, 7:51pm

Yeah, the underlying problem is that people can add you to their collections. We should make it so you have to confirm that.

bluebaritone21 · March 21, 2024, 11:45pm

Oooh, XSS!

joecooldoo · March 22, 2024, 12:08am

yep @bromagosa

bluebaritone21 · March 22, 2024, 12:13am

Woah, cool alert!

ten_6044 · March 22, 2024, 12:47am

That's not XSS. That happens because when they set the title of projects, they use the .innerHTML rather than .innerText, so that's why the scripting works.

bluebaritone21 · March 22, 2024, 1:12am

What is this?

A lot of the user names look like spam.

tethrarxitet · March 22, 2024, 1:48am

I know what I'm going to do... maybe.

joecooldoo · March 22, 2024, 2:44am

no. dont do it.

bromagosa · March 22, 2024, 9:10am

Just patched this one. It was a one-character slip on my side...

These are not serious vulnerabilities, but still the standard practice when someone finds a possible vulnerability on an online service, more so if it's a free software one, is to notify the developers privately before teaching all other users how to exploit it.

Thank you for reporting, but please use a bit of Internet etiquette for next time

tethrarxitet · March 22, 2024, 11:40am

What, make a dialog that says "la cucaracha"?

bluebaritone21 · March 22, 2024, 12:06pm

Sorry.

mr_owlssssnap2 · March 22, 2024, 6:48pm

Always use innerText instead of innerHTML for things like this, folks!

mr_owlssssnap2 · March 22, 2024, 6:51pm

I agree, except how? We can't private message you

ego-lay_atman-bay · March 22, 2024, 9:41pm

There's an email on the contact us page which can be found in the footer of the community site, contact@snap.berkeley.edu

mr_owlssssnap2 · March 22, 2024, 9:43pm

oh, yesh

joecooldoo · March 22, 2024, 10:48pm

unfortunately that email never works for me. In the past two times I've contacted the email I get an error email reply that I'm not in some Google workspace group

ego-lay_atman-bay · March 22, 2024, 10:55pm

Well, then don't use your school email (I'm assuming you are, because I've contacted them multiple times, and have always gotten a reply).

joecooldoo · March 23, 2024, 7:31pm

i dont. i never use my school email. i use my own personal account and it has no restrictions

bh · March 23, 2024, 9:30pm

Could you post a screenshot, or forward me the reply? Tnx.