[HN Gopher] Show HN: HN comments sidebar bookmarklet ___________________________________________________________________ Show HN: HN comments sidebar bookmarklet Author : srimukh Score : 37 points Date : 2023-06-24 19:51 UTC (3 hours ago) (HTM) web link (gist.github.com) (TXT) w3m dump (gist.github.com) | samstave wrote: | Great!, would be cool if you added "transparency" slider to the | overlay? Or ability to snap to split of both in same page as well | as an overlay. | Agree2468 wrote: | There was an extension called Epiverse that used to do this + | reddit comments, I dearly miss it. Although I began to notice | that I was more concerned with the comments than the pages | themselves. | toomuchtodo wrote: | https://epiverse.co/ | | Relevant comment: https://news.ycombinator.com/item?id=30187483 | puika wrote: | Very handy. Ironic that it cannot work with this very post due to | github's CSP | tough wrote: | Very cool, would be nice to be able to somehow open all links | from hn directly with the side-loaded comments! | srimukh wrote: | Thanks! That's even better -- although I think you'd need to | create an extension out of this to be able to do that. | arkadiyt wrote: | This is trivially vulnerable to XSS [1]. Someone can leave a | comment of the form: | https://"><script>alert(1)</script> | | and if you click the bookmarklet for the page that comment was | discussing then their javascript will execute in your logged in | context on that website. | | [1]: | https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235... | srimukh wrote: | Thank you for spotting this! I updated the code to escape some | special characters. | | For people reading this, the parent comment is referring to | this line[1] from a previous revision of the gist. | | [1]: | https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235... | arkadiyt wrote: | > For people reading this, the parent comment is referring to | this line[1] from a previous revision of the gist. | | That was not the line, it was linking to this innerHTML call: | https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235. | .. | | Also as a defense mitigation I don't think escaping is ever | going to be effective, it would be better to create anchor | elements directly. With your current approach I can still XSS | with, for instance: | https://"onmouseenter=alert(1)" ___________________________________________________________________ (page generated 2023-06-24 23:00 UTC)