#dev 2023-07-15

2023-07-15 UTC
#
aaronpk just added that link to https://oauth.net/http-signatures/
#
[tantek] next question, implementation reports?
#
sknebel there are test cases in a spec appendix
#
aaronpk nice https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-message-signatures#appendix-B
#
aaronpk huh i have no idea what process exists to publish these https://www.ietf.org/how/runningcode/implementation-reports/
#
[snarfed] ^ "The IETF Standards Process...requires at least two independent and inter-operable implementations," 😆 well yeah I guess that's a minimum bar
#
aaronpk it's a ... loose requirement
#
aaronpk the documentation of the interoperable implementations is not great, and the process of actually verifying that could be a lot better
[fluffy] joined the channel
#
[fluffy] oh yeah the http://huntr.dev folks assigned a CVE after all, it was just a bug that it hadn’t been originally. And now I feel like I’ve finally made it: a piece of software I wrote is widely-used enough that people bothered to find an issue with it and open a CVE against it!
#
[fluffy] https://nvd.nist.gov/vuln/detail/CVE-2023-3672
[aciccarello] joined the channel
#
[aciccarello] fluffy++
#
Loqi fluffy has 4 karma in this channel over the last year (18 in all channels)
#
[aciccarello] I updated my site with the latest version. Thanks!
[manton] and [timothy_chambe] joined the channel
#
[timothy_chambe] Does anyone see any "gotchas" in this from Meta/Threads on their early plan for these parts of ActivityPub support?
#
[timothy_chambe] https://indieweb.social/@tchambers/110714053178069073
#
[timothy_chambe] ↩️ Has anyone written up a PR or feature request in Mastodon's Github on this?
cerealport and tei_ joined the channel
#
[tantek] wow fascinating
#
vladimyr https://elk.zone/mastodon.social/@alexeheath/110713823708973503
tei_ joined the channel
#
[KevinMarks] https://mastodon.world/@exchgr/110686507297491516
#
Loqi [preview] [elle mundy] who called it object oriented programming and not class struggle
IWSlackGateway, geoffo, [snarfed], bterry, [jgarber], [jacky] and [fluffy] joined the channel
#
[fluffy] It still baffles me that browser Javascript still has no built-in way to escape HTML entities.
#
sknebel TIL the Sanitizer API is still experimental and not widely supported
#
sknebel (which was my first thought for that problem, even though kinda overkill)
[aciccarello] joined the channel
#
[aciccarello] You'd think that'd be a priority API to finalize
#
sknebel not sure how much it'd be actually used? insert HTML snippets directly? (since its much more than just escaping, but you can make it do that too I think)
#
Zegnat What is the usecase? Inserting potential HTML as text? I think the "correct" way to do that is createTextNode, where you can safely use < and >. For almost everything else the correct way is to write out the unicode symbol and not create HTML entities.
[jamietanna] joined the channel
#
[jamietanna] Snarfed did I remember seeing you'd recently shipped a big change to Bridgy Fed? I'm currently seeing my "notifications" feed as including a lot of other folks' content 🤔
#
[fluffy] TIL about createTextNode()
#
[fluffy] I’m not a fan of using the DOM methods for generating things, though. It’s unnecessarily verbose/unwieldy and usually slower than just shoving a text string at .innerHTML or whatever.
#
Zegnat .innerText is the text node equivilent to innerHTML, but of course if you want to do a mix of HTML and escaped strings it gets a little trickier
#
Zegnat [fluffy]: this looks like it works, at least in my version of Firefox. Read out the HTML version of a text node and it will have HTML entities for < and > etc. https://gist.github.com/Zegnat/f3c32e924f32d3d358ccd18ba412cda4
#
[fluffy] yeah I just played with it on jsFiddle and it worked fine. I just don’t like the DOM manipulation methods and I’d much rather just build strings template-style.
#
[fluffy] Especially since JS supports string interpolation nowadays.
#
[fluffy] sometimes you just want to bash out some HTML.
bterry joined the channel
#
Zegnat I can see that. But just as with SQL, or almost anything else with a syntax, you are going to have to introduce sanitation somewhere, haha
#
[fluffy] sure, and it’d be better to make the sanitization API easy to use rather than having to contort around everything
#
[fluffy] like with SQL, sure, use parameter binding, not code generation.
#
[fluffy] If Javascript had an equivalent to that for HTML generation, I’d be fine with it!
#
[fluffy] I just find it really weird that there’s no standard function for converting a text string into entity-escaped or URL-encoded as another text string. Both of those come up *all the time* in webapps, and the lack of standard functionality is probably where a lot of XSS issues come from.
#
[fluffy] wait no there is url-encoded
#
[fluffy] with encodeURI()
#
[fluffy] I seem to recall there was some other major web-based thing that missed URL-encoding as an action and I was conflating that
bterry and [KevinMarks] joined the channel
#
[KevinMarks] Form submission does url encoding. Is there an equivalent html operation that does entity escaping?
#
[fluffy] I did see one clever use of abusing <textarea> which does entity escaping
#
[fluffy] but I wouldn’tw ant to use it
gRegor joined the channel
#
gRegor [snarfed], got some more BF webmentions for other people's reposts
tei_ joined the channel
#
[snarfed] gRegor ugh thx. new router may still be too over-eager in some cases. got an example handy?
#
[snarfed] [jamietanna] yup I did, that's a known issue, I'll work on it. sorry for the trouble!
#
[jamietanna] No worries, thanks!
#
gRegor https://ap.brid.gy/convert/web/https:/indieweb.social/users/tchambers/statuses/110719023933589236/activity
#
Loqi [preview] [Tim Chambers] shared this.
#
[snarfed] 🙏
#
[snarfed] sent to your homepage?
#
gRegor Checked a few of them, they all appear to be reposts
#
gRegor yep
geoffo and tei_ joined the channel
#
[snarfed] ok gRegor those should be stopped now
tei_1, gRegor, cerealport, bterry and tei_ joined the channel