Hacker News new | ask | show | jobs
by _Microft 1881 days ago
Did you fix the bug in the tixy.land code where one could inject as much code as wanted via location.hash?

Here is the post from when I discovered it:

https://news.ycombinator.com/item?id=24980221

Edit: no, that still works, here is an example:

https://doersino.github.io/tixyz/?code=eval(%27%2F*%27%2Bpar...
1 comments
doersino 1881 days ago
That "bug" has become sort of a feature – the author of tixy.land added support for it a while ago [1], which I also merged into tixyz.

[1]: https://twitter.com/aemkei/status/1325918933375987712

link
AntonyGarand 1881 days ago
I assume he means the size of the payload remains technically below 32 while the "real" code is larger due to evaluating location.hash. `eval(location.hash.substring(1))` is 32 characters, but the hash itself can be few kilobytes

I used this to merge two tixies a while back, and execute an XSS as proof of concept [0]

[0] https://twitter.com/AntoGarand/status/1327101941760086017

link
_Microft 1881 days ago
Interesting, I thought I had exhausted the list of string modification functions when checking how to work around the hash symbol. That's nicer than my solution by far.
link