bark

bark. bark bark

@bark

  • they

puppy. woof!!

log inask
rss feed....
me.doggirl.gay/feed.xml
bark
@bark
bark
@bark
bark
@bark

oops, i did it again / i played with your site / emailed the staff

preact/components/post-display/post-body.tsx
return renderedBody.initialLength ? (
  // this outer wrapper exists to fix the negative margin-bottom
  // clickjacking vector discovered by @bark; overflow: clip doesn't
  // clip out the overflowing element here but a layer of
  // overflow: clip prevents the bad tab navigation behavior
  <div className="overflow-hidden">
make it worse
a post with the headline “my totally normal post headline” and a body of what appears to be “my totally normal post body”. a red box covers the entire footer of the post (containing the comments link, rebug and like buttons) that says “post content overlaps footer”.
make it even worse
the post above now has a fake rebug button covering the real rebug button. the cursor is hovering over the button, and the browser shows the button is actually a link to google.
now you've gone and done it
the post above with the fake rebug button now has the red background and “post content overlaps footer” text removed. it's impossible to tell the rebug button is a fake redirect to google.
so yeah. i did it again. finally carving out my niche: clickjacking™ on cohost!

apologies for giving you more work just before your break, @staff. but also, big ups for how quickly you responded, especially as a small team (thanks kara!)

its sunday baby. youknow what that means. its time to drink precisely one iced tea and email security@cohost.org (again)

for completeness, here's the offending snippet i sent @staff:

<div style="
  height: 3rem;
  margin-bottom: calc(-4rem - 1px);
  background: rgba(255, 0, 0, 0.5);
">
  <strong style="margin-left: 1rem; color: white">post content overlaps footer</strong>
  <a href="https://google.com">
    <img src="https://staging.cohostcdn.org/attachment/074cc3d5-7ac0-422f-a104-08edfa328e92/rebug.svg" style="
      display: inline;
      width: 1.5rem;
      height: 1.5rem;
      margin: 0.75rem 0 0 0;
      position: absolute;
      right: 3rem;
    " />
  </a>
</div>
syntax highlighting by codehost
You must log in to comment.

in reply to @bark's post: