Post AVde2Nw1Tz17Z6a4aO by clacke@libranet.de
(DIR) More posts by clacke@libranet.de
(DIR) Post #AVde2NGtws7jVZLEUS by clacke@libranet.de
2023-05-14T06:57:36Z
0 likes, 0 repeats
@lnxw48a1 Oh! Thanks. That's an injection that really shouldn't be allowed past the filters. Maybe that's the point being made.
(DIR) Post #AVde2Nw1Tz17Z6a4aO by clacke@libranet.de
2023-05-14T07:05:53Z
0 likes, 0 repeats
@tek The issue has been brought to attention. It would improve the Fedi experience of me and many others if we didn't have to see this on every page load. Thank you.
(DIR) Post #AVde2OZN7gUbX8zUv2 by tek@freeradical.zone
2023-05-14T07:20:14Z
0 likes, 0 repeats
@clacke Oh, wow! I didn’t think any software would be *that* seriously broken. I’ll see about changing my profile tomorrow, but that means libranet has a major, major security flaw. I could tell it to load whatever JS code I wanted into your browser by setting my name appropriately.
(DIR) Post #AVeBCd8R7WUW5hsd4C by clacke@libranet.de
2023-05-14T03:19:44Z
0 likes, 0 repeats
@alfred I get popups from libranet that say "Tek". A lot.
(DIR) Post #AVeBCdk0roY5yFSddY by nupplaphil@friendica.philipp.info
2023-05-14T09:52:22Z
0 likes, 0 repeats
@hypolite / @heluecht - Do you see any popups? If we really execute nickname scripts, this would be a serious security issue ..
(DIR) Post #AVeBCePqMI0e3z22q0 by hypolite@friendica.mrpetovan.com
2023-05-14T11:46:38Z
0 likes, 0 repeats
@nupplaphil @heluecht @alfred Apparently @clacke suggested it’s either in the notifications or the follow process. The notifications have a convoluted JS template system, I’d look into that.
(DIR) Post #AVeBCfAdYJRKP6vPm4 by heluecht@pirati.ca
2023-05-14T13:31:24Z
0 likes, 0 repeats
I'm most likely convinced that we fixed this for the contacts (either for their profile or the list) a long time ago. Also this functionality is centralized. So it sounds plausible, that it is hidden in the notifications.
(DIR) Post #AVeMie9px8Tc1c0KpM by nupplaphil@friendica.philipp.info
2023-05-14T09:54:24Z
0 likes, 0 repeats
@tek can you mention me anywhere and directly post anything in my timeline too? thanks :)
(DIR) Post #AVeMifbAazw0Ufng4O by tek@freeradical.zone
2023-05-14T15:40:51Z
0 likes, 0 repeats
@nupplaphil @alfred Hi!
(DIR) Post #AVeOF6vUcw86TDL57o by nupplaphil@friendica.philipp.info
2023-05-14T09:49:25Z
0 likes, 0 repeats
hm, @alfred which Friendica version do you use? I see @tek posts with his "nickname" but no popup at all (the web-console doesn't show any errors too). I'm using the latest develop version of Friendica.
(DIR) Post #AVeOF7acA31UWkZvDk by alfred@libranet.de
2023-05-14T10:03:57Z
0 likes, 0 repeats
Should I stay on stable to debug this or should I switch to develop?
(DIR) Post #AVeOF8MTI7IuvAy8oa by tek@freeradical.zone
2023-05-14T15:57:55Z
0 likes, 0 repeats
@alfred @nupplaphil @clacke Side note: I reported the issue to Friendica.
(DIR) Post #AVeX84cThiC4sPAF5E by tek@freeradical.zone
2023-05-14T17:37:25Z
0 likes, 0 repeats
@nupplaphil @alfred @clacke Upon request, I've changed my username.
(DIR) Post #AVfLB64Tl6a3xIteEq by nupplaphil@friendica.philipp.info
2023-05-14T18:41:03Z
0 likes, 0 repeats
@alfred - merged, at least on my local node, the popups are gone
(DIR) Post #AVfLB6iXMAchxXddg0 by alfred@libranet.de
2023-05-14T18:47:18Z
0 likes, 0 repeats
Yep. 😀
(DIR) Post #AVfLB7K76SgHq5DeFM by clacke@libranet.de
2023-05-14T23:28:50Z
0 likes, 0 repeats
Wow, thank you everyone for this quick response, it's been impressive, and thank you @tek for doing unusual things with your display name to uncover this. =)@alfred @lnxw48a1 @jakob @nupplaphil @hypolite @heluecht
(DIR) Post #AVfLB872AZoSHo6iUy by tek@freeradical.zone
2023-05-15T02:58:18Z
0 likes, 0 repeats
@clacke @alfred @lnxw48a1@nu.federati.net @jakob @nupplaphil @hypolite @heluecht Well done, gang! Anyone have friends on the Friendica project who can merge the changes upstream?
(DIR) Post #AVfMJ3kcMyG11uy2Xw by hypolite@friendica.mrpetovan.com
2023-05-15T03:05:57Z
0 likes, 0 repeats
@tek The changes are already merged upstream, we haven't released them yet, but they are available on the develop, which @alfred has pulled on libranet.de.
(DIR) Post #AVfMJ4OJzM1513XkQq by tek@freeradical.zone
2023-05-15T03:10:51Z
0 likes, 0 repeats
@hypolite @alfred Right on. Well done!
(DIR) Post #AVfMVZ4FlDSHdF7AFU by tek@freeradical.zone
2023-05-15T03:13:12Z
0 likes, 0 repeats
@hypolite @alfred Do me a favor? I would like to announce this, but not until people have had a chance to upgrade. Would you let me know if/when a notice has gone out?
(DIR) Post #AVfR3exwjkf7aUg5dg by hypolite@friendica.mrpetovan.com
2023-05-15T03:57:49Z
0 likes, 0 repeats
@tek @alfred I would like to do an anticipated release, alongside another fix that has yet to be merged, and we will do the regular announcement then, giving you the credit for the find.
(DIR) Post #AVfR3fZsSj0HU8QNlI by tek@freeradical.zone
2023-05-15T04:04:12Z
0 likes, 0 repeats
@hypolite @alfred I appreciate it, thanks. Best wishes with the release!
(DIR) Post #AVgWSCcHyCCNpf1uoS by tek@freeradical.zone
2023-05-15T16:39:21Z
0 likes, 0 repeats
@hypolite @alfred BTW, yesterday I’d changed my name to be a rickroll instead of an alert. Today I changed it back for testing. Everything still OK?
(DIR) Post #AVgXTzS5zB2LXLg7W4 by clacke@libranet.de
2023-05-15T16:46:57Z
0 likes, 0 repeats
@tek I wasn't rickrolled (except voluntarily) and I'm not seeing alerts.@hypolite @alfred
(DIR) Post #AVgXU0CBDptrqHEvLc by tek@freeradical.zone
2023-05-15T16:50:51Z
0 likes, 0 repeats
@clacke @hypolite @alfred OK, awesome.
(DIR) Post #Ai5VzY7lZAkRo61WAy by nupplaphil@friendica.philipp.info
2023-05-14T08:48:12Z
0 likes, 0 repeats
We recently got an explanation about this issue per email, the root cause isn't a nice one...