Hacker News new | past | comments | ask | show | jobs | submit login

Don't use this for anything where you don't want cross-site-scripting vulnerabilities...



What would such a cross-site scripting vuln do? There isn't anything to steal.

Moreover you wouldn't use this for anything where you aren't in control of where people get the links from, because as soon as someone else starts sharing it they can of course edit it too.


The trustworthiness of the domain name would effectively be stolen.


I disagree. It's more similar to how you can "inject" your scripts into fiddle.jshell.net (via JSFiddle), googleusercontent.com (via Google Translate), etc.

Have a look at https://fiddle.jshell.net/pvcL4mjh/1/show/light/

Would you call that XSS / did I just steal JSFiddle's trustworthiness?


That's a fair point.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: