Closed PythEch closed 10 years ago
@PythEch I was going to make a joke about there not being YouTube in Turkey, but I decided against it :P. Anyway, I'm always eager to do regex golfing, if you'd like.
Awesome! I'll use those if I ever need my privacy invaded by someone other than the NSA ;)
I fixed this for youtube -- I've been meaning to push up my fix for youtube embeds (http embeds wouldn't work on https) so this kills two birds with one stone. The downside is there is probably similar Regex issues for some of the other embeds (Vimeo?), which may need to be tested.
@scouttyg Technically it's not a downside :) Great commit! Last time I tried Vimeo's regex is too broken to cause a real issue.
On a side note:
It's possible to break image-embed if you pass two images at the same time. Something like this:
http://static.azgor.com/wp-content/uploads/octobiwan.jpg http://static.azgor.com/wp-content/uploads/octobiwan.jpg
I didn't reported it becuase it's just an aesthetical issue. Nevertheless it should be fixed.
I was trying to exploit youtube embed coffeescript. Not too long ago I said to myself why not type the regex of it. :laughing:
I first thought my internet was cut off. Anyway, if someone writes this string to chat, Kandan stops working.
Gruyere calls this a vulnerability, but it's more like a bug to me.
By the way, how to reset Kandan? I killed 3 servers of mine to check if that string was related to this...
EDIT: These are the errors that Firefox's giving:
Chrome:![](http://i.imgur.com/4ozHhwh.png)
Or better yet login to my server: http://lit-fortress-4042.herokuapp.com/
Here's a cleaner one if you get confused with whole mess of xss testings: http://kandan-demo2.herokuapp.com/
Further note, it seems like a javascript bug, because search still works: http://kandan-demo2.herokuapp.com/search?query=youtube.com
While I don't know what's the exact cause of this issue however, I have some ideas.
I guess that string matches with regex but idRegex is null hence javascript fails.
It seems like you need to use regex groups for this thing. Two seperate Regexes smells like a bad code. Although I haven't programmed
RailsI mean Coffeescript before, there may be a good reasoning behind this, if so please enlighten me.