Euro Truck Simulator dev has been banned from steam for using <script> in steam announcement
82 replies, posted
Pointing out Greenlight of all things is bizarre and basically tiny sliver of an issue. For all intents and purposes, it isn't an issue itself, it just has issues of its own.
[QUOTE=testinglol;45123023]this isn't an exploit. this is a thing for devs that shouldn't be used like this. it can only be used on official groups.[/QUOTE]
But it is an exploit, there is no valid reason for any developer to use the script tag in a steam announcement. Especially with the increasing number of devs coming via greenlight they should be even more careful.
[QUOTE=Handsome Matt;45125736]steamwork devs just got this:
[img]http://i.imgur.com/Zw2jMKs.png[/img]
they finally fixed it. (y)[/QUOTE]
Great, now unban the guy
[QUOTE=01271;45121076]I don't know, why not compare a multimillion dollar company's site that handles monetary transactions to dr frankenstein's ripped-apart-and-glued-together proboards. We're both running PHP after all.
<script> tags can probably still be placed in news article titles that come to steam as well I bet.[/QUOTE]
You're comparing a small forum whose posts were never meant to contain HTML to a huge website that's been modified and extended heavily over the past 11 years with many complicated, interlocking components that uses HTML for post markup. They're not really comparable.
[QUOTE=Handsome Matt;45125736]steamwork devs just got this:
[t]http://i.imgur.com/Zw2jMKs.png[/t]
they finally fixed it. (y)[/QUOTE]
Wish they added bbcode to chat functions too.
I wish people would stop using BBCode. It's ugly and verbose for what it's used for.
Speaking of things needing fixing, they also need to fix the ability to get spammed with chat invites from people you don't even know. An option in your profile settings. Anything.
[QUOTE=mattmanlex;45125756]Great, now unban the guy[/QUOTE]
Exactly. He shouldn't be punished for pointing out a flaw in a system that has existed for years. Apparently this bug has been known since 2012 but Valve was too lazy to do anything about it until someone exploited it.
[editline]16th June 2014[/editline]
Valve has become a terrible developer and miserable company in general.
[QUOTE=Reagy;45123383]They enable raw html into dev announcements? That's just fucking absolute retarded.
Steam already has bbcode, just give devs a fucking img and video tag and there you go, problem solved.
They don't need raw fucking html.[/QUOTE]
Raw HTML is fine as long as you treat it properly (setup standard security measures and strip bad stuff properly), which is exactly what Valve wasn't doing in this case.
Hell, this was for developers to use, people you should be able to trust, now remember that webmail clients will gladly render HTML in any email you get regardless of the source.
[QUOTE=TheDecryptor;45126300]Raw HTML is fine as long as you treat it properly (setup standard security measures and strip bad stuff properly), which is exactly what Valve wasn't doing in this case.
Hell, this was for developers to use, people you should be able to trust, now remember that webmail clients will gladly render HTML in any email you get regardless of the source.[/QUOTE]
Webmail clients dont allow scripts and will even refuse to load images for obvious reasons
This is a pretty serious exploit, and they should be taking it seriously
[QUOTE=Sir Whoopsalot;45120580]Someone found out that the SMB level database for user-created levels had abysmal security and told the developer who proceeded to get cocky as fuck about it. That person made the info public and then this happened.
[img]http://img820.imageshack.us/img820/1641/itsfinetrustme.png[/img][/QUOTE]Here's the story behind this, according to Tommy: Tommy was hosting all the custom levels on a computer in his house. He was on vacation when it happened, and politely let the person know it would be fixed when he got back. The guy spliced tweets together to make him look bad, and released the info and pictures before Tommy got back and could fix it.
I can't remember which one, but he talked about it in an interview over a year ago.
[B]Edit: [/B]Apparently, the tweets were spliced some other time.
[QUOTE=SL128;45127091]Here's the story behind this, according to Tommy: Tommy was hosting all the custom levels on a computer in his house. He was on vacation when it happened, and politely let the person know it would be fixed when he got back. The guy spliced tweets together to make him look bad, and released the info and pictures before Tommy got back and could fix it.
I can't remember which one, but he talked about it in an interview over a year ago.[/QUOTE]
I was there when it happened (Facepunch WAYWO a few years ago), and no, not at all. Charlie reported it, the guy said "it's not a problem," Charlie offered to help him fix it, he still said "it's not a problem," so us Facepunchers went wild.
[URL="http://facepunch.com/showthread.php?t=1144771&p=33856685&viewfull=1#post33856685"]Here's the thread[/URL] if you want it.
[editline]16th June 2014[/editline]
Oh, yeah, Charlie tried to warn them multiple times but they never even said "we'll take care of it soon." They don't really have a precendent to call us immature teenagers (which I think was what they said in the interview).
[QUOTE=SL128;45127091]Here's the story behind this, according to Tommy: Tommy was hosting all the custom levels on a computer in his house. He was on vacation when it happened, and politely let the person know it would be fixed when he got back. The guy spliced tweets together to make him look bad, and released the info and pictures before Tommy got back and could fix it.
I can't remember which one, but he talked about it in an interview over a year ago.[/QUOTE]
I went back and looked through the tweets and they weren't spliced. I don't really know what to feel about this because I think Tommy is a cool guy, but I do think it's dumb that this happened.
[QUOTE=Tobba;45126808]Webmail clients dont allow scripts and will even refuse to load images for obvious reasons
This is a pretty serious exploit, and they should be taking it seriously[/QUOTE]
Shouldn't say it's obvious, many people don't know that you can get someone's IP by sending them an image on your webserver and having them view it. Not that a persons IP usually is an issue. But it can also let them know the mail was delivered to the box.
[QUOTE=Ybbat;45127855]Shouldn't say it's obvious, many people don't know that you can get someone's IP by sending them an image on your webserver and having them view it. Not that a persons IP usually is an issue. But it can also let them know the mail was delivered to the box.[/QUOTE]
not if you use gmail
any images sent to a gmail address get loaded by google's servers, and cached for the email
so you get google's ip, not the recipient
[QUOTE=Tamschi;45122658][editline]16th June 2014[/editline]
Nope, Facepunch mangles the URI. Get it from [URL="https://www.moovweb.com/blog/happy-valentines-day-internet-behold-the-harlem-shake-bookmarklet/"]here[/URL].[/QUOTE]
What a terrible script. Not only is it associated with the stupid Harlem Shakedown fad, it also both crashed my browser and only shook Ybbat's avatar and information panel.
Trying to make the song not play stopped the script from starting entirely.
[QUOTE=FunnyStarRunner;45127991]What a terrible script. Not only is it associated with the stupid Harlem Shakedown fad, it also both crashed my browser and only shook Ybbat's avatar and information panel.
Trying to make the song not play stopped the script from starting entirely.[/QUOTE]
It's an example.
[QUOTE=JCDentonUNATCO;45128104]It's an example.[/QUOTE]
No, that one linked from the Valentine's Day post.
Lemme go make that more clear.
[QUOTE=Tobba;45126808]Webmail clients dont allow scripts and will even refuse to load images for obvious reasons
This is a pretty serious exploit, and they should be taking it seriously[/QUOTE]
Yes, that was my whole point, webmail clients sanitise the HTML so it's not a problem, and that's from an untrusted source, doing the same to a trusted source shouldn't cause any problems.
It's really easy to sanitise HTML if you parse it right, problem is that most people don't parse HTML right (The amount of custom built regex parsers I've seen, ugh).
Sorry, you need to Log In to post a reply to this thread.