Did you know? There are three supported image hosts on wasteof:
but you can actually post images from a 4th host: https://cdn.jsdelivr.net/gh/twitter/[email protected]/assets/72x72/*
it’s the emojis on the site, but you can post them as normal images as well. Here’s an example:
">yeah, but for some reason clicking his name in your comment begore this one opens up my browser
clicking that user profile link opens my browser (on wasteof for android btw)
oh, i didn’t even realise that. i thought that it would fail (i copied the emojis as rich text accidentally once)
nope, it’s not
i think it was going to be, but i couldn’t manage to write a motion jpeg encoder. if i do, i’ll ask jeffalo to add it again.
Sadly, this is not an XSS vector because it’s locked down to the 72×72
path, which only includes PNG images. If someone were to sneak in a malicious SVG into the Twemoji repo, though, you could possibly do it (but that would also hack thousands of other sites at the same time, including Twitter)
I think there’s also some stuff @jeffalo could do to block certain file types, but I’m not sure about that.