oren — 2/10/2024, 2:44:15 PM

Did you know? There are three supported image hosts on wasteof:

but you can actually post images from a 4th host: https://cdn.jsdelivr.net/gh/twitter/[email protected]/assets/72x72/*

it’s the emojis on the site, but you can post them as normal images as well. Here’s an example:

🔥
♥ 10 ↩ 0 💬 15 comments

comments

jeffalo: <img class=
2/11/2024, 11:19:51 AM
oren:

lol

2/11/2024, 12:57:44 PM
gamecuber6:

i clicked it and it crashed the app (i'm on wasteof for Android)

2/10/2024, 11:05:16 PM
oren:

@micahlt ^

2/11/2024, 12:58:18 PM
gamecuber6:

how

2/11/2024, 11:58:38 PM
oren:

micahlt makes the android app for wasteof

2/11/2024, 11:59:52 PM
gamecuber6:

yeah, but for some reason clicking his name in your comment begore this one opens up my browser

2/12/2024, 12:01:53 AM
oren:

It’ll probably come in a future update

2/12/2024, 12:05:53 AM
gamecuber6:

clicking that user profile link opens my browser (on wasteof for android btw)

2/12/2024, 12:00:29 AM
lily:

oh, i didn’t even realise that. i thought that it would fail (i copied the emojis as rich text accidentally once)

2/10/2024, 3:06:02 PM
radi8:

i think *.tauon.dev is one too

right @lily?

2/10/2024, 2:58:03 PM
lily:

let me test

2/10/2024, 3:04:49 PM
lily:

nope, it’s not

i think it was going to be, but i couldn’t manage to write a motion jpeg encoder. if i do, i’ll ask jeffalo to add it again.

2/10/2024, 3:05:23 PM
oren:

Sadly, this is not an XSS vector because it’s locked down to the 72×72 path, which only includes PNG images. If someone were to sneak in a malicious SVG into the Twemoji repo, though, you could possibly do it (but that would also hack thousands of other sites at the same time, including Twitter)

2/10/2024, 2:54:16 PM
oren:

I think there’s also some stuff @jeffalo could do to block certain file types, but I’m not sure about that.

2/10/2024, 2:55:01 PM