Show HN: HN comments sidebar bookmarklet (opens in new tab)

(gist.github.com)

49 pointssrimukh2y ago12 comments

12 comments

This is trivially vulnerable to XSS [1]. Someone can leave a comment of the form:

    https://"><script>alert(1)</script>

and if you click the bookmarklet for the page that comment was discussing then their javascript will execute in your logged in context on that website.

[1]: https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235...

srimukhOP2y ago

Thank you for spotting this! I updated the code to escape some special characters.

For people reading this, the parent comment is referring to this line[1] from a previous revision of the gist.

[1]: https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235...

arkadiyt2y ago

> For people reading this, the parent comment is referring to this line[1] from a previous revision of the gist.

That was not the line, it was linking to this innerHTML call: https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235...

Also as a defense mitigation I don't think escaping is ever going to be effective, it would be better to create anchor elements directly. With your current approach I can still XSS with, for instance:

    https://"onmouseenter=alert(1)"

1 more reply

puika2y ago

Very handy. Ironic that it cannot work with this very post due to github's CSP

Agree24682y ago

There was an extension called Epiverse that used to do this + reddit comments, I dearly miss it. Although I began to notice that I was more concerned with the comments than the pages themselves.

toomuchtodo2y ago

https://epiverse.co/

Relevant comment: https://news.ycombinator.com/item?id=30187483

samstave2y ago

Great!, would be cool if you added "transparency" slider to the overlay? Or ability to snap to split of both in same page as well as an overlay.

tough2y ago

Very cool, would be nice to be able to somehow open all links from hn directly with the side-loaded comments!

srimukhOP2y ago

Thanks! That’s even better — although I think you’d need to create an extension out of this to be able to do that.

j / k navigate · click thread line to collapse

12 comments

arkadiyt2y ago

This is trivially vulnerable to XSS [1]. Someone can leave a comment of the form:

    https://"><script>alert(1)</script>

and if you click the bookmarklet for the page that comment was discussing then their javascript will execute in your logged in context on that website.

[1]: https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235...

srimukhOP2y ago

Thank you for spotting this! I updated the code to escape some special characters.

For people reading this, the parent comment is referring to this line[1] from a previous revision of the gist.

[1]: https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235...

arkadiyt2y ago

> For people reading this, the parent comment is referring to this line[1] from a previous revision of the gist.

That was not the line, it was linking to this innerHTML call: https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235...

    https://"onmouseenter=alert(1)"

1 more reply

puika2y ago

Very handy. Ironic that it cannot work with this very post due to github's CSP

Agree24682y ago

There was an extension called Epiverse that used to do this + reddit comments, I dearly miss it. Although I began to notice that I was more concerned with the comments than the pages themselves.

toomuchtodo2y ago

https://epiverse.co/

Relevant comment: https://news.ycombinator.com/item?id=30187483

samstave2y ago

Great!, would be cool if you added "transparency" slider to the overlay? Or ability to snap to split of both in same page as well as an overlay.

tough2y ago

Very cool, would be nice to be able to somehow open all links from hn directly with the side-loaded comments!

srimukhOP2y ago

Thanks! That’s even better — although I think you’d need to create an extension out of this to be able to do that.

j / k navigate · click thread line to collapse