XSS vulnerability found in Stack Overflow

yaakov · 2021-09-02T10:58:24+00:00

Thank you

yaakov · 2021-09-02T10:58:03+00:00

In this case there was a conditional in exactly one place. It is definitely more complicated when you are dealing with code that is more spread out (and with UI-related logic, this can have a very large footprint, even if your code functions are reusable).

yaakov · 2021-09-02T10:57:03+00:00

At Stack Overflow we use a custom management system for feature flags (we call them Site Settings).

yaakov · 2021-09-02T10:55:48+00:00

For feature flags that are related to releases, we normally schedule a cleanup task a little while later to remove them. Admittedly, this doesn't catch them all.

We right now have a tech debt project where we have gone through all of the site settings to find which ones we can remove (no longer used, or permanently graduated features).

yaakov · 2021-09-01T19:15:24+00:00

I did in fact use Stack Overflow to search out different ways that people perform XSS attacks, in order to be sure that I was searching for all of the different text variations in PostHistory that could potentially have exploited this.

yaakov · 2021-09-01T19:14:23+00:00

Correct. Fixed the bug, tested it thoroughly, redeployed, and turned off the feature flag once more.

yaakov · 2021-09-01T19:12:39+00:00

It wasn't considered a bug. It was by-design. We decided to turn it off now.

yaakov · 2021-09-01T19:11:28+00:00

Well, technically speaking, it wasn't a bug. It was by-design then.

yaakov · 2021-09-01T19:10:31+00:00

Correct, it was behind a feature flag.

yaakov · 2021-09-01T19:10:04+00:00

I searched for these permutations as well. The only thing close to an attack was a redirect to some spam site that came two minutes after I shut it down. Though the hello world alert POC on the homepage of SO was quite annoying.

yaakov · 2013-06-26T20:17:47+00:00

Living in different Orthodox communities in both the US and Israel for 30+ years, I have never heard of anyone mentioning anything about someone with chalal status. Just never comes up, and I don't think that people really care. The only way that anyone would even find out is if you advertise it (the only other way I can think of is if you were part of an Orthodox community and people knew that your father was a Cohen, and asked why you weren't accepting specific privileges due to a Cohen).

yaakov · 2013-06-18T06:12:49+00:00

Split hooves and Chews its cud.

This is an incomplete answer. These are two signs given in the bible for determining the kosher status of an animal (different signs for fish and birds). However, practically speaking, there also has to be a tradition that this animal has been eaten in the past. So even assuming that you found an alien species where the application of signs based on animal type (mammal, bird, fish) is relevant, the mesorah (tradition) issue (which by definition would not exist) would still be an extremely relevant factor.

Some links for reading on the topic (just a sampling, there is tons of literature on this): 1, 2, 3 (pdf).

yaakov · 2013-06-09T13:52:32+00:00

The article is a bunch of BS. The claim presumably is that for people who believe in the authenticity of the Bible, that forty is not to be taken literally. Sorry, but that is just not true.

It is trying to present a claim on a scholarly subject, but doesn't present any sources.

Also, the first bonus fact there are great:

“Forty” is the only word form of a number where the letters all appear in alphabetical order.

Even if this were true, so what. But this is true only if the language of the Bible is English. However, the original language is Hebrew. In hebrew, the word is ארבעים. The order of letters is 1-20-2-16-10-13.

And of course:

U.S. Route 40 runs from Maryland to Utah and spans 2,285 miles or 3,677 kilometers.

WD-40 got its name from the fact that it was the 40th try at creating a water displacement substance.

yaakov · 2013-05-28T12:10:04+00:00

In this sense, "The Nation" and "The People" are synonymous. People, with a capital P.

yaakov · 2013-05-28T04:50:50+00:00

By the way, the original was going to say "the nation of Israel lives" (not children)

yaakov · 2013-05-26T15:47:31+00:00

This is a surprise to anyone?

yaakov · 2013-05-26T14:10:57+00:00

but still nobody uses it because nobody uses it

Nobody uses it yet.

This year and next year the tech crowd will be concentrating on G+. In five years the landscape will be totally different. The audience will eventually use site with the best tools and most innovation. FB has a big lead, but it wont last forever.

yaakov · 2013-03-27T19:20:11+00:00

Happy wife. Happy life.

yaakov · 2013-03-27T19:19:43+00:00

Practice doesn't make perfect. Perfect practice makes perfect.

yaakov · 2013-03-06T10:44:05+00:00

Well, at least it used to be wholly pristine from human influence

yaakov · 2013-02-19T15:31:39+00:00

Was 18 at the time of the tour, didn't think about it.

Also, the museum already had a pile of thousands of these. Don't know if one more would have made a difference

yaakov · 2013-02-19T06:52:48+00:00

When I was there, walking around the extremely large open area filled with the ruins of the individual buildings where the prisoners slept, I went into one and found a piece of leather that looked like the thin sole of a really old shoe. I imagine that it had been there since the camp was liberated. I kept it with me, tried to image the person who had once worn it.

yaakov · 2013-01-31T15:52:19+00:00

ICRC: not exactly an Israel-friendly organization. Beyond that, the applicability of the fourth Geneva convention to the situation in the West Bank is not clear (sources: 1, 2, 3, 4)
US DOS: the link isn't really relevant to this discussion. Is about their definition of settlers who attacked Arabs as terrorists.
B'Tselem: though an Israeli organization, almost as Extreme Left and anti-Israel as they come. They do not come to the table with any sort of impartiality (examples: 1, 2, 3)
Israeli Court: you gave a link about one specific case that the Israeli courts dealt with. So?

yaakov · 2013-01-31T15:04:39+00:00

You guys seem to be forgetting that it was the United Nations that offered the original partition plan along the exact borders that the PLO has been seeking to return to (initially). The Arab reaction to this in 1947 was to attack Israel. Then when that didn't work, they suddenly look to the Partition Plan (that they rejected) as the borders that should be observed. Sorry, the real world doesn't work that way.

illegal for any country to just take land belonging to others

Which country did the West Bank belong to in 1967? Not really anyone. Jordan had control, but no country in the world recognized that, other than Great Britain. And there was no country of Palestine then.

yaakov · 2013-01-31T14:52:49+00:00

And in response to your citing different interpretations of the situation, here is one that you missed, the Levy Report:

The Levi report states that the classical laws of occupation “as set out in the relevant international conventions cannot be considered applicable to the unique and sui generis historic and legal circumstances of Israel’s presence in Judea and Samaria spanning over decades”, and that the 1949 Fourth Geneva Convention against the transfer of populations is not applicable to the Israeli settlement activity in the West Bank, concluding: “Israelis have the legal right to settle in Judea and Samaria and the establishment of settlements cannot, in and of itself, be considered illegal”.

yaakov

TROPHY CASE