flex's profile @flex

so basically, i’m making my own tiny frontend for fun and learning nuxt stuff, and posts are plain html, but the wasteof api makes it xss proof so thats cool :)

flex's profile @flex

<script>alert(1)</script>

(ignore this)

Mar 7, 2024, 4:37 AM
7 2 0
Mar 7, 2024, 2:28 PM
6 0 8

comments

errplane's profile @errplane Mar 7, 2024, 11:25 PM

hey!!! im doing that!!! /j (should probably announce mine though)

flex's profile @flex Mar 8, 2024, 1:13 AM

!!

(yeah lol)

lily's profile @lily Mar 7, 2024, 3:17 PM

you actually can post actual html, jeffalo’s be removes like 99% of tags and attributes though

radi8's profile @radi8 Mar 7, 2024, 3:03 PM

how does the wasteof API make it xss-proof?

lily's profile @lily Mar 7, 2024, 3:16 PM

dompurify

radi8's profile @radi8 Mar 7, 2024, 3:22 PM

the backend does that? I thought that was just the frontend.

lily's profile @lily Mar 7, 2024, 3:36 PM

both do

if it didn’t, we’d’ve had both of the following:

  1. xss attack

  2. funny cohost esque css crimes

flex's profile @flex Mar 7, 2024, 3:45 PM

afaik the frontend may just use v-html

since the backend does the purifying afaik