[Quarrelsome]

doesn't this mean I could embed salacious material into a link and fool people into thinking the person who owned this website wrote it?

[generalizations]

> Anything can be generated here. You could even host your own blog that uses my website as a renderer if you really wanted to. It supports markdown.

> Every post that I want to publicly claim authorship of lives at the root of this site. If you are reading a post that I have claimed it will look like this page. Posts of unknown authorship have a disclaimer at the top of the page.

https://joshcsimmons.com/post/H4sIAAAAAAAA%2F3xV227cRgx911cQ...

(His permalinks are horrible, lol)

[jbarrs]

>Posts of unknown authorship have a disclaimer at the top of the page.

Problem is, the posts can contain <script> elements. So it's easy to just write a little JavaScript that removes the disclaimer at the top. See this hastily-made, immature example of mine:

https://joshcsimmons.com/post/H4sIABO8LmUC/3VT0W7aQBB85yu2QV...

As it stands, this really isn't the most secure system. Something much more malicious could be injected into this!

[joshcsimmons]

This gave me a pretty good laugh. I have some sanitization and guards set up now. TBH I never really expected anyone to visit my blog.

[latexr]

Shouldn’t it be “shat”?

Either way, considering the submission we’re commenting on, the author of the blog may appreciate your humour.

[joshcsimmons]

Correct

[pjot]

I was halfway expecting goatse

[hundchenkatze]

Yes...

https://joshcsimmons.com/post/H4sICIi6LmUAA3RtcC5odG1sADWMMQ...

[joshcsimmons]

unfortunately patched now

[bravetraveler]

XSS as a feature, neat