No.10364
wat
No.10366
I keep forgetting custom markup is a thing, which is a shame, because I like the feature a lot.
No.10368
><>
Golden fish
No.10370
i will patch this sometime... I have restrictions(opacity and position) on the attribute override syntax, but obviously there are so many CSS rules that I'll forget a few things that will cause problems occasionally. But if no one is abusing it then I'll probably only target the really problematic ones such as invisible text. This styling doesn't show up on the vichan UI so it's not a problem to moderate, but might be tricky to see sometimes.
No.10371
>>10370The big thing you need to watch out for is stuff that loads content from external URLs, which is a privacy issue because it could be used to log IPs.
No.10375
>>10371doesn't work by design since the field doesn't allow for ( )
Though, explicitly disallowing external url is for the best.
No.10422
>>10368your fish kind of changed color...
No.10423
I'm working out hypothetical issues with the feature and color changes are going to have to be restricted to dark themes(everything but kissu.css) since having a situation where some posters are preventing users of certain sheets from reading their posts is very problematic.
Likewise some ways to make text hidden or very unreadable on dark sheets will have to be removed.
I missed this too sigh
No.10430
abawawa
abawawa
No.10431
Will be allowing url to be used with relative domains only.
Various failsafes in the attribute override parsing will guarantee that there's never an HTTPS.
the following checks are made:
if( /url\((?:"|'|)https?:\/\/(?:[^ ]+\.)?[^ ]+\.[^ ]+?(\/[^'"\)]+)?(?:"|'|)\)/gui.test( style_parts[1] ) ){
error_list.push({ [style_parts[0]] : "url-can-not-use-https.Use: url(/qa/thumb/1638594960389.webp);"});
style_parts[1] = style_parts[1].replace( /url\((?:"|'|)https:\/\/(?:[^ ]+\.)?[^ ]+\.[^ ]+?(\/[^'"\)]+)?(?:"|'|)\)/gui , "url($1)" );
}
// redundant, do not let URL this create an exploit
if(/https?/gi.test(style_parts[1])){
error_list.push({ [style_parts[0]] : "for-some-reason-https-was-not-removed...terminating-rule"});
style_parts[1] = "unset";
}
No.10435
>>10431You can get around a search for "https" by CSS escapes, like so:
\0068ttps
No.10437
>>10435\ still a forbidden character.
122Worth examining and seeing if it gets through
No.10438
>>10437data: URIs could also be an issue, particularly if they're to something like SVG that can load subresources.
No.10439
>>10438It doesn't effect because I forgot to make the server handle case insensitive input.
very nice,
No.10440
kind of complicated. Checking for HTTPS is the wrong approach apparently. Rather will have to force URLs to be relative
No.10441
Javascript's regex engine auto converts \0068 and so on into their interpretation. So the problem with \ is less of a serious concern considering regex ought to be doing the conversions with or without the \u flag. Still, the value of having \ be in the CSS is not essential and potential issues don't outweight the gain.
data: is to be explicitly blocked for everything.
No.10442
new rules:
if( /url\((?:"|'|)([^"'\)]*?)(?:"|'|)\)/gui.test( style_parts[1] ) ){
let url_match = /url\((?:"|'|)([^"'\)]*?)(?:"|'|)\)/gui.exec(style_parts[1]);
let valid_url = /^\/(?!data|https)[a-z0-9\/]+\.(?!svg)[a-z]+$/ui.test(url_match[1]) ||
/^https:\/\/([a-z]+\.)?kissu.moe\/[a-z0-9\/]+\.(?!svg)[a-z]+$/ui.test(url_match[1]) ;
if(!valid_url){
error_list.push({ [style_parts[0]] : "only-kissu-urls-allowed.eg-url(/qa/thumb/1638594960389.webp);"});
style_parts[1] = style_parts[1].replace( /url\((?:"|'|)([^"'\)]*?)(?:"|'|)\)/gui , "url('error')" );
}
}
// redundant, do not let URL create an exploit
if(/(data:|\.svg|\\0)/gui.test(style_parts[1])){
error_list.push({ [style_parts[0]] : "potentially dangerous-markup-was-not-removed.Check-/(data:|\.svg|\0)/.terminating-rule"});
style_parts[1] = "";
}
No.10443
forgot the negative lookahead (?!svg) on one of the validations, added that in.
I'll leave \ disabled server side and have the client blocking \0
Will fix that style tags were case sensitive after I upload my current changes and wait a few hours.
Client aborts parsing for given rule if data: is encountered
No.10444
>>10441>Javascript's regex engine auto converts \0068 and so on into their interpretation.It should interpret \u0068 as h if it occurs in the regular expression. If \0068 occurs in the string being tested, there's no reason it would auto convert anything.
No.10445
>>10444guess I confused something with something else
No.11004
Bumping this thread because it's good and I wish more people used the custom markup.
No.11007
>>11006font size:90px, that is.
px is for pixel
No.11060
[s glowgreen|font-size:48px]test[/s]
No.11061
>>11060that's not an expected result
No.11064
Strange, you copy paste an HTML entity which means that it doesn't work as expected
does not translate into a space
No.11065
Issue resolved with copy pasting the OP, learned nbsp is not the same as whitespace
Oh no, I guess this could be an issue
No.11067
>>11066it's because code blocks have a lot of their characters converted into HTML entities in order to prevent any markup being rendered inside of them
No.11100
I appreciate everyone's restraint in not overdoing it with this site feature.
No.11101
キタ━━━(゚∀゚)━━━!!
No.11631
bump
No.11632
do you need the glowsomething for the font size to work...
No.11633
i aint gonna teach you the easter eggs
No.11634
>>11632Nope, but I can't get it to work unless there's a | in front as if I was doing multiple things. I never bothered to learn how to do it otherwise