Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DText header IDs may hijack reserved IDs #2659

Closed
evazion opened this issue Sep 7, 2016 · 2 comments
Closed

DText header IDs may hijack reserved IDs #2659

evazion opened this issue Sep 7, 2016 · 2 comments

Comments

@evazion
Copy link
Member

evazion commented Sep 7, 2016
edited

Header IDs can be abused to hijack IDs already in use by the site:

h1#artist-commentary. Look at me! - style a comment obnoxiously.

h1#add-to-favorites. nope - break the 'F to favorite' hotkey (may need to put this in a flag message to ensure it's high enough in the HTML to hijack the $("#add-to-favorites") javascript).

I suggest that header IDs must follow a safe format that won't interfere with site IDs. Maybe something like h1#dtext-blah-blah. or h1#header-blah-blah.
@r888888888
Copy link
Collaborator

Alternatively (and this may not be any more obvious) when the id is converted to HTML, always prepend some prefix so there's no chance of clashing.

@Type-kun
Copy link
Collaborator

Type-kun commented Sep 8, 2016

https://danbooru.donmai.us/forum_posts/119633 suggest changing dtext- prefix to something more descriptive. Either way, old dtext.rb and corresponding test for it should be fixed to reflect this, too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@r888888888 @Type-kun @evazion