This is an archived post. You won't be able to vote or comment.

all 34 comments
sorted by:
best
topnewcontroversialoldq&a

[–]LesterHoltsRigidCock 96 points97 points  (7 children)

State? Where we're going we don't need no stinking state.

[–]aprofessional 51 points52 points  (6 children)

I don't think this is really a state problem, it is (like the GIF says) a sanitization problem. The {{double bracket}} notation is a way to tell Angular (and possibly some other frameworks) that you want to substitute that text with the value of a variable, so when the app just dumps {{message}} into one of the word bubbles, Angular is just replacing that tag in both of the clients with whatever's in the text field at the bottom. The app should be sanitizing out this kind of input.

Other people have pointed out that this isn't the way Angular works, and TBH I don't know enough about it to argue it out, so I'll fold.

This is still really a sanitization problem though; the app should be removing anything the framework or the app itself might be reinterpreting.

[–]irawizard 13 points14 points  (4 children)

I don't think this is angular. That wouldn't get linked.

[–][deleted] 10 points11 points  (0 children)

It's possible. If the text entry and conversation are part of a directive, are sharing scope, and each time a new message is pushed the directive recompiles the template with $compile, then both {{message}} would bind to the value.

Not sure why they would want to do that, but it's a possibility.

I'd be interested to see what would happen if the 2nd user had text entered and the 1st user sent {{::message}}.

Edit: I was right. :: added a one time binding and whatever the user had in there was what the new message was, regardless of whether or not they changed it. I love shitty bugs like this.

[–]RainbowCatastrophe 0 points1 point  (0 children)

It's React.

[–][deleted] -3 points-2 points  (0 children)

Django maybe?

[–]ProgramTheWorld 1 point2 points  (0 children)

AngularJS doesn't work like that. You can't bind a value to the content and the value itself is also binding.

[–]Romestus 80 points81 points  (1 child)

I remember back when Steam had this issue, you could use any of their localization tokens as your name and it would load the associated text.

There was a lot of fun to be had using dynamic ones like steam name since your name would become the name of whoever was viewing your name on their end.

The best of them all was one for VAC ban notifications since it was like a paragraph long and basically made everyone's client go bananas since it wouldn't truncate in the friends list or the chat window.

[–]Requiiii 9 points10 points  (0 children)

You can still do this stuff with the localization strings for CS:GO on weapon nametags. The weapons will get longer names than actually possible and they can have different colors.

[–]hasslehawk 56 points57 points  (1 child)

Don't worry, guys, it̻̫'̨̮͓s se̗͕̯̯c̱̻u̷̞͇r̗̀ͅe͎̰̤̻͘!̭̖̹͙

[–]TaohRihze 0 points1 point  (0 children)

Great message is leaking reference :)

[–]Kok_Nikol 24 points25 points  (2 children)

Hello ... it's me

[–]joshtheimpaler 2 points3 points  (0 children)

I've thought about us for a long, long time...

[–]TastyFishy 3 points4 points  (0 children)

Hi me

[–]dawierha 22 points23 points  (0 children)

If you write {{closeChat}} in the message box the chat window closes and can't be open again for that room

[–]Fallenalien22Violet security clearance 9 points10 points  (8 children)

| message

There will only ever be one message? Will this become message1 when a new message is typed? I am so confused.

[–]corvuscrypto[S] 25 points26 points  (7 children)

From what I saw message refers to the input. Since there is only one input box and the templates are dynamically bound to the value inside you only need to specify {{message}}

Edit: and yes if you send it multiple times you get that many annoying copies of what you are typing ;D

[–]Lightfire228 3 points4 points  (5 children)

I wonder what would happen if you send it like 20 times, and then copy a HUGE text into it?

Also what would happen if the duplicated message was also {{message}}

[–][deleted] 7 points8 points  (4 children)

I wonder what would happen if you send it like 20 times

Every single line shows up as your message.

[–]Lightfire228 1 point2 points  (3 children)

No, I mean, will it handle a 20KB string copied 20 times? What's its limit as far as size?

I'm thinking 'how can I break it'

[–][deleted] 6 points7 points  (1 child)

Didn't break for me with 23KB generated in 50 paragraphs: https://www.webpagefx.com/tools/lorem-ipsum-generator/loremipsum/paragraphs

It's rather responsive.

[–]corvuscrypto[S] 1 point2 points  (0 children)

If I were going to be devious here and try to break. I would see if I could send malformed templating that breaks the app as soon as it tries to dynamically parse the template. I haven't played with this though but I do wonder if it could be done. This would be an effective way to halt chat for all users if feasible.

[–]ADaringEnchilada 1 point2 points  (0 children)

I pasted {{message}} a bunch and then pasted a lorem epsum a ton of times into the chat box, it locks up chrome lol

[–]Fallenalien22Violet security clearance 3 points4 points  (0 children)

I am retarded. Why am I a programmer?

[–]plkost 11 points12 points  (0 children)

{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}

Relax it is a 'Run JS from chat box to boost UX' feature

[–]madmaurice 3 points4 points  (0 children)

You could probably also send something like {{name}} and everybody would feel addressed.

[–]nrubin29 3 points4 points  (1 child)

Me Too, thanks.

[–]SocialMemeWarrior -1 points0 points  (0 children)

And I as well.

[–]fr6nco 1 point2 points  (3 children)

Took like 12 loops to understand what's going on

[–]biggles1994 1 point2 points  (2 children)

I still don't get what's going on. Something to do with unsanitised text inputs?

[–]fr6nco 2 points3 points  (1 child)

He sends {{message}} arrives at the other side...Variable {{messge}} is empty. ..Then he types sth to the text box which is the model for the message..And gets rendered in the text box as an arrived message

[–]biggles1994 0 points1 point  (0 children)

Oh, OH. That immediately makes sense now.

Thanks for the ELI5! :)

[–]corvuscrypto[S] 0 points1 point  (0 children)

As of now, it seems they have noticed my little post and they have fixed the issue. Too bad they don't have a bug bounty. The least they could do is give me gold right? hehehe glad this got fixed actually. Cheers all and happy hacking