38 comments

[ 4.0 ms ] story [ 79.9 ms ] thread
Not mobile ready?
No mobile support for now :(
The AE Studio website linked from the footer also needs some work to show comfortably on mobile.

Since you guys are hiring, I think it might make sense to pick candidates with strong skills in mobile web. They might be able to improve things for you guys right off the bat :D

lmao - Is someone making the lightsaber sounds with their mouth?
Yes, I created the sounds with my mouth hahah
I wish I could actually fight something and win/loose!

(Pretty cool for a laugh)

I’ll definitely add more to this
Ah, the importance of not relying on front-end validation.
However, It's very fun UX to let me put the bee movie intro into a marquee ;).

Side note to the creator: the color listener names are different from the emit names.

(comment deleted)
(comment deleted)
Seems like there are some XSS vulnerabilities :D
Yep. Directly renders HTML input and the ‘name’ validation is clientside only.
Was wondering why firefox said it blocked 100+ pop ups
meta game of XSS hacks are much more fun than the game itself. :D They've accidentally invented a new genre.
Somewhere in there you have a link to example.com.
It's like the Bobby Tables XKCD except everyone's child is named <img src="asdf" onerror="alert('holy injection batman')"/>
This quickly turned from a lightsaber battle into an XSS battle. Negotiations were short.
(comment deleted)
I wrote an XSS worm that turns people's names into "yay" (and the worm code) but made myself immune to it. Now someone will have to figure out how to write a counter-worm to remove the worm from the lightsaber population. Until then, the "name" feature will be permanently held hostage (by the yay worm)
Ok, you took it to the next level. This is amazing
You might find this interesting, if you didn't know about it already: https://en.wikipedia.org/wiki/Samy_(computer_worm) . In 2005 someone wrote an XSS worm in MySpace that made everyone follow a single person. It worked by injecting itself in the victim's profile description. It quickly reached more than a million people.
Toying with #name-input and setName() was quite fun; I wish I was there to see this part happen! What `onerror` did you end up using to make it recursive?
This was the injected JS code:

    document.getElementById('name-input').value = document.getElementById('yay').outerHTML; setName(); console.log('yay')
The `<img>` tag I used was wrapped around a `div` element that had the `yay` id. I used `onload` instead of `onerror`, with an image link from Wikipedia.
Somehow I ended up here: https://grabify.link/track/K0U70F
The AI explanations for these tracks is quite amusing/disturbing:

> Based on the information provided, it appears that the user is a resident of the United States, likely living in the Onalaska area of Washington state. They are using a Windows 10 computer and the Firefox web browser, which suggests they are comfortable with technology and keep their software up-to-date.

> The user's browsing activity indicates that they have an interest in lightsaber-related content, which could be a hobby or a professional interest. Their use of the Broadstripe internet service provider, a regional provider in the Pacific Northwest, further reinforces the assumption that they are a local resident.

> While the user's specific age or occupation is not known, their choice of browser and operating system implies that they are likely an adult who is familiar with modern computing technology. They may work in a field that requires internet access, or they could simply be an enthusiastic internet user with a diverse range of interests.

> The fact that the user is accessing the internet through a residential broadband connection suggests that they have a stable living situation and the means to afford reliable internet service. This, combined with their apparent technological proficiency, paints a picture of a relatively well-off and engaged individual.

> Overall, the available information suggests that the user is a tech-savvy adult residing in the Onalaska area of Washington state, with a particular interest in lightsaber-related content. While their specific background and occupation remain unknown, they appear to be a relatively well-established and engaged member of their local community.

And somehow I found myself here: https://www.youtube.com/watch?v=DHVsEefuWI. Then I reloaded the lightsaber page only to find the background is Elmo in hell.

I wish I knew these XSS tricks better, or I'd also have a few suggestions for everyone.

I laughed. Then I laughed at the sound effects. Then I laughed at what happened when I left the tab open in the background.