Settings

Theme

Show HN: HN comments sidebar bookmarklet

gist.github.com

49 points by srimukh 3 years ago · 13 comments

Reader
arkadiyt 3 years ago

This is trivially vulnerable to XSS [1]. Someone can leave a comment of the form:

    https://"><script>alert(1)</script>
and if you click the bookmarklet for the page that comment was discussing then their javascript will execute in your logged in context on that website.

[1]: https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235...

  • srimukhOP 3 years ago

    Thank you for spotting this! I updated the code to escape some special characters.

    For people reading this, the parent comment is referring to this line[1] from a previous revision of the gist.

    [1]: https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235...

    • arkadiyt 3 years ago

      > For people reading this, the parent comment is referring to this line[1] from a previous revision of the gist.

      That was not the line, it was linking to this innerHTML call: https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235...

      Also as a defense mitigation I don't think escaping is ever going to be effective, it would be better to create anchor elements directly. With your current approach I can still XSS with, for instance:

          https://"onmouseenter=alert(1)"
      • srimukhOP 3 years ago

        Thanks! For now, I added a warning under the gist. Not that this is an excuse, but I put this together in about 30 minutes using GPT-4 for fun without much consideration about robustness or security. I will maybe try to rewrite it when I find time.

        • jfdi 3 years ago

          Please do! Besides being a fun exercise it’s also a neat idea. Comments from the HN community make the content posted almost always more interesting imho

          • srimukhOP 3 years ago

            I took the advice and updated the code to generate DOM nodes instead of setting HTML directly - it should decrease the risk of XSS

puika 3 years ago

Very handy. Ironic that it cannot work with this very post due to github's CSP

Agree2468 3 years ago

There was an extension called Epiverse that used to do this + reddit comments, I dearly miss it. Although I began to notice that I was more concerned with the comments than the pages themselves.

samstave 3 years ago

Great!, would be cool if you added "transparency" slider to the overlay? Or ability to snap to split of both in same page as well as an overlay.

tough 3 years ago

Very cool, would be nice to be able to somehow open all links from hn directly with the side-loaded comments!

  • srimukhOP 3 years ago

    Thanks! That’s even better — although I think you’d need to create an extension out of this to be able to do that.

Keyboard Shortcuts

j
Next item
k
Previous item
o / Enter
Open selected item
?
Show this help
Esc
Close modal / clear selection