There was an extension called Epiverse that used to do this + reddit comments, I dearly miss it. Although I began to notice that I was more concerned with the comments than the pages themselves.
This is trivially vulnerable to XSS [1]. Someone can leave a comment of the form:
https://"><script>alert(1)</script>
and if you click the bookmarklet for the page that comment was discussing then their javascript will execute in your logged in context on that website.
Also as a defense mitigation I don't think escaping is ever going to be effective, it would be better to create anchor elements directly. With your current approach I can still XSS with, for instance:
Thanks! For now, I added a warning under the gist. Not that this is an excuse, but I put this together in about 30 minutes using GPT-4 for fun without much consideration about robustness or security. I will maybe try to rewrite it when I find time.
Please do! Besides being a fun exercise it’s also a neat idea. Comments from the HN community make the content posted almost always more interesting imho
13 comments
[ 3.1 ms ] story [ 47.5 ms ] threadRelevant comment: https://news.ycombinator.com/item?id=30187483
[1]: https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235...
For people reading this, the parent comment is referring to this line[1] from a previous revision of the gist.
[1]: https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235...
That was not the line, it was linking to this innerHTML call: https://gist.github.com/postmalloc/e2602752d46c5b9dee2446235...
Also as a defense mitigation I don't think escaping is ever going to be effective, it would be better to create anchor elements directly. With your current approach I can still XSS with, for instance: