Did you know? There are three supported image hosts on wasteof:
but you can actually post images from a 4th host: https://cdn.jsdelivr.net/gh/twitter/[email protected]/assets/72x72/*
it’s the emojis on the site, but you can post them as normal images as well. Here’s an example:
">Sadly, this is not an XSS vector because it’s locked down to the 72×72
path, which only includes PNG images. If someone were to sneak in a malicious SVG into the Twemoji repo, though, you could possibly do it (but that would also hack thousands of other sites at the same time, including Twitter)
I think there’s also some stuff @jeffalo could do to block certain file types, but I’m not sure about that.