Start a new topic

Input sanitation on tags

Tag inputs currently aren't sanitized completely. Parentheses are just dropped into the url, along with single quotes, double quotes and a few other characters. Space, slash and backslash are converted, though.


Worse, special characters like zero width spaces are also permitted (though they do get encoded), which produces an apparently empty tag with a _really_ long URL that just kinda breaks anything that tries to parse it (which is why my page broke! oops! i fucked up!). 



Context: 

I just locked myself out of my profile by experimenting with tags and being an idiot, so I guess that's no cohosting for me until someone picks that up. 


File attached shows the error I get when trying to access my page at https://cohost.org/tit which currently is completely inaccessible! Fun! 


oops.png
(65.5 KB)

2 people have this problem

Oh shit. It also locks out other users. Fuck. 


Image

oh and for people reading this: for the love of eggbug please don't try to replicate it, it'll only create more work for the admins and i'd say "locking out multiple users" is enough damage done already


1 person likes this

Offending post was removed with the help of @lexi, see comment here: https://cohost.org/tuftedtitmouse/post/318166-i-just-locked-myself#comment-7d59ab77-d38f-4792-8cbb-9a6da9cd8e7c


(this comment contains a JSON string with my original site-breaking post in there which is probably good for troubleshooting @ staff!)

Login or Signup to post a comment