ccd0 / 4chan-x

Adds various features to anonymous imageboards.
https://www.4chan-x.net/
Other
993 stars 135 forks source link

Custom JS functions? #2232

Open ghost opened 5 years ago

ghost commented 5 years ago

I'd like a way to add custom functions within the 4chanX userscript itself in the same way I can add custom CSS in Settings > Advanced. It would be nice having a way to carry settings, custom css and custom functions within the same file. Right now I'm forced to make a dedicated userscript that works in tandem with 4chanX using its events (like the QR creation event). Is this a dangerous practice? I would make edits to the 4chanX script itself but that would break after eachupdate, of course

image

saxamaphone69 commented 5 years ago

I would assume that running JavaScript within 4chan X could be left open to exploitation to vulnerable users.

I've been running an extra custom userscript alongside 4chan X for over 5 years now. One extra userscript that's a few lines long won't tank your computer.

ghost commented 5 years ago

I'm not really worried about the weight of a single userscript on my machine but I was just wondering if I could cut edges using a single userscript. I stopped using additional userscripts/addons to customize CSS since 4chanX lets me do that so I wanted to do the same with my custom functions.

Speaking of exploitations, how a toggled off custom JS would be more dangerous than an userscript manager itself like violentmonkey and similar? I get the intrinsic risk in javascript but it's not like you need to get special permissions to install userscripts on your browser right now. I think an ill-intentioned person could exploit both regardless, maybe violentmonkey even more since it only requires a single install button instead of toggling an option on and pasting functions within

ccd0 commented 5 years ago

The issue with a naive implementation of custom JS in 4chan X (or in site Javascript like 8chan's) is that if someone finds a script injection vulnerability in anything the user is using, they can add custom JS silently without asking user permission, then hide all traces of it being installed, making their exploit permanent, at least until the user uninstalls 4chan X. Userscript managers prompt the user when they install something and don't give userscripts any opportunity to hide themselves on the list of active scripts. The first security measure could probably be implemented in 4chan X; the second would be a bit harder. There are probably other security concerns I haven't thought of. I don't see that the headache is worth it, especially since most people running 4chan X will already have a userscript manager installed, if only to run 4chan X.