💾 Archived View for station.martinrue.com › acidus › 2b99fac39f9f4b22a94ea16e5e1f261b captured on 2023-07-22 at 18:37:46. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-03-20)
-=-=-=-=-=-=-
oh shit. I just found JavaScript code execution in a Gemini browser 😬😬. I’m literally looking at an Alert dialog. (goes looking for developer contact info…)
1 year ago · 👍 eph, lykso, staticvoid, birabittoh, kaylee, comatoast
I think that’s exactly what’s happening @birabittoh · 1 year ago
Can't escape JS even here · 1 year ago
Some browsers actually translate gemtext to html, then use a webview to render the page. that's why you can probably do code injection, but as long as most people use lagrange or any terminal-based client like amfora it should be fine · 1 year ago
not Lagrange 😅. i’m gonna try to get the developer to fix the problem before I talk about it in too much detail. I’m not entirely sure how severe it is because I’m not yet sure what context/origin the JS is executing. doesn’t look like it can access file URIs but I can force it to make network requests, so if it can access privileged information, the attacker has a way to exfiltrate data. i’ve emailed the developer, let’s see what happens. · 1 year ago
which one? · 1 year ago