Future page/action in the works?

I'm just browsing through the community's collections and an idea popped in my head... if there's a username URL parameter on one page, how about I test it somewhere else?

So I tried it and this popped up.
t Screenshot 2024-03-13 11.53.03|441x53 ethrarxitet's Published Collections
Unfortunately, it's not very functional, and it still shows everyone's published collections.
A group of other people's collections.

It also works with the Explore tab, however that doesn't show that user's projects.
Screenshot 2024-03-13 11.53.03
It looks like the website handles it well, since moving to a new page still keeps the username parameter.

Is this a new page function in the works?

Yeah, the underlying problem is that people can add you to their collections. We should make it so you have to confirm that.

Oooh, XSS!

yep :frowning: @bromagosa

Woah, cool alert!

That's not XSS. That happens because when they set the title of projects, they use the .innerHTML rather than .innerText, so that's why the scripting works.

What is this?

A lot of the user names look like spam.

I know what I'm going to do... maybe.

no. dont do it.

Just patched this one. It was a one-character slip on my side...

These are not serious vulnerabilities, but still the standard practice when someone finds a possible vulnerability on an online service, more so if it's a free software one, is to notify the developers privately before teaching all other users how to exploit it.

Thank you for reporting, but please use a bit of Internet etiquette for next time :slight_smile:

What, make a dialog that says "la cucaracha"?


Always use innerText instead of innerHTML for things like this, folks!

I agree, except how? We can't private message you

There's an email on the contact us page which can be found in the footer of the community site, contact@snap.berkeley.edu

oh, yesh

unfortunately that email never works for me. In the past two times I've contacted the email I get an error email reply that I'm not in some Google workspace group

Well, then don't use your school email (I'm assuming you are, because I've contacted them multiple times, and have always gotten a reply).

i dont. i never use my school email. i use my own personal account and it has no restrictions

Could you post a screenshot, or forward me the reply? Tnx.