> This blog is now STATELESS. The entire post is contained in the URL that you are visiting now. All my "blog" is now is a hard-coded main page that contains links to posts I claim authorship of. Of course the entire post is contained in each of these links.
Watch out: virus/scam/spam sites can detect sites like yours and write tons of redirects, link them somewhere, and use your site's good reputation to get their scams on the home page. This is also a huge problem for redirect services.
If the wrong person publishes the wrong link, you can get your domain banned from Google and tons of other sites as a "security risk", which can spread to your email (if you use @joshcsimmons.com).
It's fine if you don't care about blacklists of course, but this kind of abuse can easily sneak up on you.
The client-side XSS is mostly harmless (assuming you don't have any other sensitive services running with cookies scoped to this domain), although it's technically a persistent XSS, which means it could be indexed by search engines.
But is there a server-side component to this? I noticed that the "disclaimer" is added in the source returned by the server, so I assume there is some code that checks whether the post is present on the home page? If so, that could be dangerous, if there is a bug in that code such that a malicious payload in the URL could get RCE in your server process.
I've just added some defensive programming to the site. Sorry to say. Appreciate that you hacked it with your image onerror, pretty clever.
TBH I haven't thought about most of these things. Nobody typically reads my blogs when I've made them before and this is likely the only interest it will get for quite a while.
So if the author fix a small typo in the post, they break all the links to it. The blog is not "stateless", it’s just that its state is stored in the homepage. Having all posts on that page with anchor links would achieve the same thing with shorter links that don’t depend on the content.
> Anything can be generated here. You could even host your own blog that uses my website as a renderer if you really wanted to. It supports markdown.
> Every post that I want to publicly claim authorship of lives at the root of this site. If you are reading a post that I have claimed it will look like this page. Posts of unknown authorship have a disclaimer at the top of the page.
>Posts of unknown authorship have a disclaimer at the top of the page.
Problem is, the posts can contain <script> elements. So it's easy to just write a little JavaScript that removes the disclaimer at the top. See this hastily-made, immature example of mine:
The only thing I can think of is if they want to share controversial posts while having the ability to deny that they wrote it (as long as they don’t actually create a link to it from their own site).
It’s not a good use case IMO, but that is all I can think of lol
Huh, cool. I think it's a pretty terrible idea, but I'm glad people are still doing fun/creative things with websites. Keeping the spirit of the early web alive. haha :)
> Every post that I want to publicly claim authorship of lives at the root of this site. If you are reading a post that I have claimed it will look like this page. Posts of unknown authorship have a disclaimer at the top of the page.
Very clever. For those wondering, this won't gunzip since it's compressed using zlib. you must do a chain like this: URL Decode -> Base64 Decode -> Zlib Inflate.
for sure, there's awareness and then there's disregard of any basic web security.
the second they start hosting any application/backend/cookie-enabled thing on this domain name, anyone could inject a script via their /post/ gzip-base64 scheme, and do bad things...?
I don't think html sanitization would go against the principle of this idea. just... at the very least strip the tags! :-)
https://joshcsimmons.com/post/H4sIAAAAAAAA%2F3xV227cRgx911cQ...