undefined | Better HN

0 pointsarkadiyt2y ago0 comments

> For people reading this, the parent comment is referring to this line[1] from a previous revision of the gist.

That was not the line, it was linking to this innerHTML call: https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235...

Also as a defense mitigation I don't think escaping is ever going to be effective, it would be better to create anchor elements directly. With your current approach I can still XSS with, for instance:

    https://"onmouseenter=alert(1)"

0 comments

srimukh2y ago

Thanks! For now, I added a warning under the gist. Not that this is an excuse, but I put this together in about 30 minutes using GPT-4 for fun without much consideration about robustness or security. I will maybe try to rewrite it when I find time.

jfdi2y ago

Please do! Besides being a fun exercise it’s also a neat idea. Comments from the HN community make the content posted almost always more interesting imho

srimukh2y ago

I took the advice and updated the code to generate DOM nodes instead of setting HTML directly - it should decrease the risk of XSS

j / k navigate · click thread line to collapse

0 pointsarkadiyt2y ago0 comments

> For people reading this, the parent comment is referring to this line[1] from a previous revision of the gist.

That was not the line, it was linking to this innerHTML call: https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235...

    https://"onmouseenter=alert(1)"

0 comments

srimukh2y ago

jfdi2y ago

Please do! Besides being a fun exercise it’s also a neat idea. Comments from the HN community make the content posted almost always more interesting imho

srimukh2y ago

I took the advice and updated the code to generate DOM nodes instead of setting HTML directly - it should decrease the risk of XSS

j / k navigate · click thread line to collapse