oh, it still doesn't work with pleroma and i don't understand why

Show thread

and only mastodon posts, because they will break in every other activitypub software i tried x.x

example.org/:mastodon:-does-wh

Show thread

well, at least my research led me to one interesting idea: if you have a personal blog, you can create redirects like domain.tld/:some_custom_emoji:/ -> domain.tld/blog/2020-12-04, and use the cute emojified links in your mastodon posts :p

Show thread

i chose a different approach for @meowViewer: infosec.exchange/@leip4Ier/105. it most likely is an example of over-engineering, but hey, my code will work in all cases, it won't break even for posts that contain <script> tags! (mastodon's code would) (which will never happen, because all <script>, <style>, etc tags are stripped by the sanitizer..)

Show thread

i talked about other implementations here: infosec.exchange/@leip4Ier/105. mastodon uses a state machine and only replaces emoji shortcodes in text (even if that text is inside a link!), it doesn't touch html attributes. friendica does the same thing as pleroma, misskey is too complicated for me to understand, and the language barrier doesn't help. i can only tell that it doesn't replace shortcodes inside the link text. here's how it displays the first post in this thread: misskey.io/notes/8fcvichcs2.

Show thread

the explanation: pleroma-fe uses the list of emoji attached to a post, and just replaces every emoji shortcode in raw html with an img tag. you can see it here: git.pleroma.social/pleroma/ple. it works most of the time, because you rarely have an emoji shortcode both inside the url and in attached metadata. but still, links can get broken.

you may notice that it doesn't sanitize emoji shortcodes or image urls. it is safe, because that's done on the backend: git.pleroma.social/pleroma/ple.

Show thread

(i'm just glad i didn't spend my time researching custom emoji replacement for nothing x.x)

Show thread

gotcha! look at this: pl.devfs.xyz/notice/A1prfJ7D02 (where the link goes!). it's an edge case no one else will probably ever see, but still..

Show thread

so now that infosec.exchange is up, toot.cafe decided to go down?? what

@leip4Ier Hey, I remember that when it recently turned out that Apple is spying on what apps users launch, you pointed out that OSCP basically does the same thing. I just learned about CRLite, Mozilla's initiative to fix this by building a Bloom filter of expired certificates and shipping that to Firefox users: blog.mozilla.org/security/2020 Pretty cool, eh?

i thought that with most tags not being nestable, you only need to do a bunch of simple regexes (`\[tag\](.*)\[\/tag\]`) and then sanitize the attributes that go into html. but, the latter isn't that obvious, at least not for friendica devs: they sanitized some attributes, but not the others. and it seems like an easy mistake to make, so in the end you're better off running a sanitizer on the resulting html code anyway. at which point, why not use html in the first place?

Show thread

Now back to . It being seemingly simple means that most implementations don’t bother with HTML sanitization. Instead, the expectation is that you run a bunch of regexps to produce HTML code and it will just be fine. Except that usually it’s not: jeffchannell.com/Other/bbcode-

Show thread
Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.