[hk__2]

> The author is aware.

Since the website is vulnerable to XSS, you could inject a script that removes the disclaimer.

[gregsadetsky]

100%. poc:

https://joshcsimmons.com/post/eNqzKU4uyiwosUvJTy7NTc0r0UtPLX...

[cengizIO]

Very clever. For those wondering, this won't gunzip since it's compressed using zlib. you must do a chain like this: URL Decode -> Base64 Decode -> Zlib Inflate.

[gregsadetsky]

right on! I used https://bugdays.com/gzip-base64 to go back and forth.

base64 generates slashes, so the site (and I) run encodeURIComponent in the devtools on the resulting base64 to make sure it's completely url-safe.

---

the poc "payload" is

eNqzKU4uyiwosUvJTy7NTc0r0UtPLXHNSQUxi50qnXMSi4v9EnNTNdRzMtMzStQ1ow1i9YpSc%2FPLUjU0bfShmrm4lBVKMjKLFYAoKTEFACeDHYg%3D

which uri-component-decodes to:

eNqzKU4uyiwosUvJTy7NTc0r0UtPLXHNSQUxi50qnXMSi4v9EnNTNdRzMtMzStQ1ow1i9YpSc/PLUjU0bfShmrm4lBVKMjKLFYAoKTEFACeDHYg=

which un-base64+gzip's to (using the site I posted above):

  <script>document.getElementsByClassName('light')[0].remove()</script>

  # this is bad

[joshcsimmons]

Hah this is clever. Mixed feelings on patching this but I patched it for now.

[pwdisswordfishc]

s/removes the disclaimer/exploits a browser 0-day/

[Dylan16807]

There are much less weird links you can give someone if you have 0-day. I don't think that's a problem worth worrying about for the author.

[pwdisswordfishc]

It’s a problem worth worrying about for users who maintain whitelists of domains they allow JavaScript from.