Hacker News new | ask | show | jobs
by arkadiyt 1306 days ago
Heads up this is vulnerable to cross site scripting [1]. If someone submits a link like:

    https://example.com"><script>alert(1)</script>
Then simply viewing the hackernews index page with this extension installed will let the submitter execute whatever javascript they want in your logged in hackernews context - no user interaction necessary.

[1]: https://github.com/MostlyEmre/hn-anti-paywall/blob/main/scri...
2 comments
MostlyEmre 1306 days ago
I can't thank you enough for pointing that out. Appreciated. I looked into it and pushed an update, hopefully it should fix it. I no longer use innerHTML, instead I now generate links properly via createElement, appendChild, all that jazz.

GreasyFork build is also updated. I recommend anyone who installed the userscript (thanks!) to update.

link
dylan604 1306 days ago
Does HN allow links like that?
link
ehPReth 1306 days ago
it does... but it's urlencoded so unsure if vulnerable with this user script: https://news.ycombinator.com/item?id=33796527

still a good idea to patch though

link
dylan604 1306 days ago
a) I'd never run an extension like this.

b) for the auth, yeah, probably a good idea to patch

c) for HN, probably a good idea to sanitize those inputs!

link