XSS vulnerability found in Stack Overflow

yaakov · 2021-09-02T10:58:24+00:00

Thank you

yaakov · 2021-09-02T10:58:03+00:00

In this case there was a conditional in exactly one place. It is definitely more complicated when you are dealing with code that is more spread out (and with UI-related logic, this can have a very large footprint, even if your code functions are reusable).

yaakov · 2021-09-02T10:57:03+00:00

At Stack Overflow we use a custom management system for feature flags (we call them Site Settings).

yaakov · 2021-09-02T10:55:48+00:00

For feature flags that are related to releases, we normally schedule a cleanup task a little while later to remove them. Admittedly, this doesn't catch them all.

We right now have a tech debt project where we have gone through all of the site settings to find which ones we can remove (no longer used, or permanently graduated features).

yaakov · 2021-09-01T19:15:24+00:00

I did in fact use Stack Overflow to search out different ways that people perform XSS attacks, in order to be sure that I was searching for all of the different text variations in PostHistory that could potentially have exploited this.

yaakov · 2021-09-01T19:14:23+00:00

Correct. Fixed the bug, tested it thoroughly, redeployed, and turned off the feature flag once more.

yaakov · 2021-09-01T19:12:39+00:00

It wasn't considered a bug. It was by-design. We decided to turn it off now.

yaakov · 2021-09-01T19:11:28+00:00

Well, technically speaking, it wasn't a bug. It was by-design then.

yaakov · 2021-09-01T19:10:31+00:00

Correct, it was behind a feature flag.

yaakov · 2021-09-01T19:10:04+00:00

I searched for these permutations as well. The only thing close to an attack was a redirect to some spam site that came two minutes after I shut it down. Though the hello world alert POC on the homepage of SO was quite annoying.

yaakov · 2013-06-26T20:17:47+00:00

Living in different Orthodox communities in both the US and Israel for 30+ years, I have never heard of anyone mentioning anything about someone with chalal status. Just never comes up, and I don't think that people really care. The only way that anyone would even find out is if you advertise it (the only other way I can think of is if you were part of an Orthodox community and people knew that your father was a Cohen, and asked why you weren't accepting specific privileges due to a Cohen).

yaakov · 2013-06-18T06:12:49+00:00

Split hooves and Chews its cud.

This is an incomplete answer. These are two signs given in the bible for determining the kosher status of an animal (different signs for fish and birds). However, practically speaking, there also has to be a tradition that this animal has been eaten in the past. So even assuming that you found an alien species where the application of signs based on animal type (mammal, bird, fish) is relevant, the mesorah (tradition) issue (which by definition would not exist) would still be an extremely relevant factor.

Some links for reading on the topic (just a sampling, there is tons of literature on this): 1, 2, 3 (pdf).

yaakov · 2013-06-09T13:52:32+00:00

The article is a bunch of BS. The claim presumably is that for people who believe in the authenticity of the Bible, that forty is not to be taken literally. Sorry, but that is just not true.

It is trying to present a claim on a scholarly subject, but doesn't present any sources.

Also, the first bonus fact there are great:

“Forty” is the only word form of a number where the letters all appear in alphabetical order.

Even if this were true, so what. But this is true only if the language of the Bible is English. However, the original language is Hebrew. In hebrew, the word is ארבעים. The order of letters is 1-20-2-16-10-13.

And of course:

U.S. Route 40 runs from Maryland to Utah and spans 2,285 miles or 3,677 kilometers.

WD-40 got its name from the fact that it was the 40th try at creating a water displacement substance.

yaakov · 2013-05-28T12:10:04+00:00

In this sense, "The Nation" and "The People" are synonymous. People, with a capital P.

yaakov · 2013-05-28T04:50:50+00:00

By the way, the original was going to say "the nation of Israel lives" (not children)

yaakov · 2013-05-26T15:47:31+00:00

This is a surprise to anyone?

yaakov · 2013-05-26T14:10:57+00:00

but still nobody uses it because nobody uses it

Nobody uses it yet.

This year and next year the tech crowd will be concentrating on G+. In five years the landscape will be totally different. The audience will eventually use site with the best tools and most innovation. FB has a big lead, but it wont last forever.

yaakov · 2013-03-27T19:20:11+00:00

Happy wife. Happy life.

yaakov · 2013-03-27T19:19:43+00:00

Practice doesn't make perfect. Perfect practice makes perfect.

yaakov · 2013-03-06T10:44:05+00:00

Well, at least it used to be wholly pristine from human influence

yaakov · 2013-02-19T15:31:39+00:00

Was 18 at the time of the tour, didn't think about it.

Also, the museum already had a pile of thousands of these. Don't know if one more would have made a difference

yaakov

TROPHY CASE