hngopher.com

       [HN Gopher] Show HN: HN comments sidebar bookmarklet
       ___________________________________________________________________
        
       Show HN: HN comments sidebar bookmarklet
        
       Author : srimukh
       Score  : 37 points
       Date   : 2023-06-24 19:51 UTC (3 hours ago)
        
 (HTM) web link (gist.github.com)
 (TXT) w3m dump (gist.github.com)
        
       | samstave wrote:
       | Great!, would be cool if you added "transparency" slider to the
       | overlay? Or ability to snap to split of both in same page as well
       | as an overlay.
        
       | Agree2468 wrote:
       | There was an extension called Epiverse that used to do this +
       | reddit comments, I dearly miss it. Although I began to notice
       | that I was more concerned with the comments than the pages
       | themselves.
        
         | toomuchtodo wrote:
         | https://epiverse.co/
         | 
         | Relevant comment: https://news.ycombinator.com/item?id=30187483
        
       | puika wrote:
       | Very handy. Ironic that it cannot work with this very post due to
       | github's CSP
        
       | tough wrote:
       | Very cool, would be nice to be able to somehow open all links
       | from hn directly with the side-loaded comments!
        
         | srimukh wrote:
         | Thanks! That's even better -- although I think you'd need to
         | create an extension out of this to be able to do that.
        
       | arkadiyt wrote:
       | This is trivially vulnerable to XSS [1]. Someone can leave a
       | comment of the form:
       | https://"><script>alert(1)</script>
       | 
       | and if you click the bookmarklet for the page that comment was
       | discussing then their javascript will execute in your logged in
       | context on that website.
       | 
       | [1]:
       | https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235...
        
         | srimukh wrote:
         | Thank you for spotting this! I updated the code to escape some
         | special characters.
         | 
         | For people reading this, the parent comment is referring to
         | this line[1] from a previous revision of the gist.
         | 
         | [1]:
         | https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235...
        
           | arkadiyt wrote:
           | > For people reading this, the parent comment is referring to
           | this line[1] from a previous revision of the gist.
           | 
           | That was not the line, it was linking to this innerHTML call:
           | https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235.
           | ..
           | 
           | Also as a defense mitigation I don't think escaping is ever
           | going to be effective, it would be better to create anchor
           | elements directly. With your current approach I can still XSS
           | with, for instance:
           | https://"onmouseenter=alert(1)"
        
       ___________________________________________________________________
       (page generated 2023-06-24 23:00 UTC)