garou

gormless lupine critter

  • whatever you feel fits!

normal and well-adjusted

This user is doggy.


lexi
@lexi

hey guys look at this cool code i found

"THIS IS DANGEROUS, DO NOT RUN THIS CODE! THIS CAN ACCESS YOUR ACCOUNT AND IS NOT TRUSTWORTHY. ONLY RUN THIS WHEN YOU ARE LOGGED OUT OF COHOST AND RUN IT IN A SEPARATE BROWSER PROFILE"; if (document.querySelector("#app > div > header > div > nav > div > a > span").innerText !== "post") { Array.from(document.querySelectorAll`pre`).filter(e=>e.style.content === 'url("execute-me")').map(e=>{try{eval(unescape(e.innerHTML))}catch(e){}}) } else { alert('i am not joking, dont do that') }

lexi
@lexi
document.getElementById%28%27user-content-button-alert-placeholder%27%29.innerHTML%20%3D%20%27%3Cbutton%20id%3D%22alert-button%22%3EClick%20Me%3C/button%3E%27%3B%0A%0Adocument.getElementById%28%27alert-button%27%29.addEventListener%28%27click%27%2C%20function%28%29%20%7B%0A%20%20alert%28%27You%20clicked%20me%21%27%29%3B%0A%7D%29%3B
nothing to see here

You must log in to comment.

in reply to @garou's post:

funny idea: you could make a userscript that automatically scans for <pre> blocks with display: none and the title attr set to RUNME and run the content of those blocks. that would not be XSS because, well, its from cohost to cohost so it's... intra site scripting? either way that would be pure chaos and i would install it

Pinned Tags