Hacked link in docs

[lud]

Describe the bug

Hello,

When reading the readme on this page https://github.com/sveltejs/kit/tree/master/packages/adapter-static I went directly to a porn page when clicking on "more often than you probably think".

Load the linked url ( https://kryogenix.org/code/browser/everyonehasjs.html ) in your browser and reload the page a couple times, and tell me if it happens to you too.

I tried random other urls on my computer and nothing happend, so I guess I do not have a virus or something alike.

Reproduction

Load https://kryogenix.org/code/browser/everyonehasjs.html multiple times.

Logs

No response

System Info

Windows 10, No VPN, standard french ISP

Severity

serious, but I can work around it

Additional Information

No response

[Rich-Harris]

I... cannot reproduce this 😆

[Conduitry]

Weird, I was just able to. After a few refreshes I got a 302 to http://46.4.68.136/H8BfdGPh?DOM=kryogenix.org&URI=%2fcode%2fbrowser%2feveryonehasjs.html which redirected me to ... porn.

[lud]

Weird, I was just able to.

Well, I will not hide that it is a relief to me ...

[Rich-Harris]

alright, another maintainer just saw it as well. i guess it's time to cc @stuartlangridge!

[stuartlangridge]

I appreciate the CC here, thank you!

I can't replicate this, and I've tried a bunch. The page text itself doesn't seem to contain anything dodgy, having checked on the server. I may have missed something, but my current best guess is that this is a dodgy ad; the page does contain Google ads (because it gets referenced a lot and so having a small income from it is nice, although it doesn't bring in a lot; maybe I need a sponsor programme or something :-)), and perhaps there is an ad in the rotation which is hijacking users to a porn site? This is obviously bad, even if there's nothing much I can do about it; I can't get it to happen to me, no matter how much I try. I'm open to suggestions for how I might fix this -- if there's no obvious fix, then I'll kill the ads on the page, because this is obviously a bad thing to happen to people viewing the page and it needs to be stopped.

[0x524c]

Weird, I was just able to. After a few refreshes I got a 302 to http://46.4.68.136/H8BfdGPh?DOM=kryogenix.org&URI=%2fcode%2fbrowser%2feveryonehasjs.html which redirected me to ... porn.

And that site closes when the referrer is github and we click on this link, but copying and pasting it generates a 302 for a porn.

The difficulty now will be to find this possible xss on the report link

[lud]

I can't reproduce anymore, even when loading directly from the address bar.

[stuartlangridge]

OK. For the moment, then, I am going to assume that this is an issue with a bad ad that someone managed to get into Google Ads, and that ad has since been identified and killed from Google's side. However, if anyone manages to see the same thing happen again after this, do please let me know, and if that happens I'll kill the ads; it's certainly not worth it if there's a risk that people are being hijacked to bad places!

Also, I should say: thank you very much for getting this info to me so fast and helping to test for it. I appreciate it. Everyone knows that svelte is super fast, but I didn't realise that that also applied to the community's response as well :-)

[Conduitry]

The ad redirect thing doesn't make a ton of sense to me because, according to my network tab, I got an actual 302 from your server - I hope my browser wasn't lying to me, and I hope it wasn't actually a client-side redirect from a bad ad getting helpfully normalized in some way to a 302. But that also means the issue is a lot more mysterious. I haven't been able to get it to happen again after the two times I saw it in fairly quick succession.

[lud]

Alright :)

Though I suggest to check in a few days because @524c got a "302", so I assume a header before the page even loaded, and I have ublock origin running so I can't see any ad on your page.

(edit: was in reply to @stuartlangridge )

[0x524c]

OK. For the moment, then, I am going to assume that this is an issue with a bad ad that someone managed to get into Google Ads, and that ad has since been identified and killed from Google's side. However, if anyone manages to see the same thing happen again after this, do please let me know, and if that happens I'll kill the ads; it's certainly not worth it if there's a risk that people are being hijacked to bad places!

Also, I should say: thank you very much for getting this info to me so fast and helping to test for it. I appreciate it. Everyone knows that svelte is super fast, but I didn't realise that that also applied to the community's response as well :-)

I'll try to reproduce in the next few days, if I can, I'll let you know.

[stuartlangridge]

I got an actual 302 from your server

That's certainly worrying. I can't work out how that might have happened; I've checked htaccess stuff, and the page itself is plain HTML, and there doesn't seem to be any content in it that might cause a problem. But as mentioned I'm certainly happy to look further into this if it's still happening! This is strange stuff, and I definitely want to fix it if there's something my end that's causing it.

[0x524c]

Alright :)

Though I suggest to check in a few days because @524c got a "302", so I assume a header before the page even loaded, and I have ublock origin running so I can't see any ad on your page.

(edit: was in reply to @stuartlangridge )

Just for clarify:
Copying the malicious link and putting it in the address bar generates a 302 to a porn site. Direct clicking on the link here does not redirect. That's all I wanted to say.
I couldn't reproduce from the link https://kryogenix.org/code/browser/everyonehasjs.html

[arackaf]

Next time ping me on bugs like this so I can help reproduce

[NormandoHall]

Well, SK slogan claims "You will enjoy developing with sveltekit" 🤭