karzilla: a green fist above the word SMASH! (Default)
Karzilla, Destroyer of Bugs ([staff profile] karzilla) wrote in [site community profile] dw_maintenance2023-06-29 11:28 pm
  • Add Memory
  • Share This Entry

Code push happening tomorrow!

We are planning to do a code push within the next 24 hours, around 7:30pm PDT / 10:30pm EDT. (timezones)

You can see what's new in the code tour that was posted earlier this week, but here are the highlights:

  • Google Analytics v4 support
  • adding the legacy RTE to the beta Create Entries page
  • adding draft autosave to the beta Create Entries page
  • more UI improvements for the beta Inbox
  • some more aggressive measures for discouraging SEO spam accounts
  • miscellaneous modernization updates for various journal styles
  • many newly added sites for content embeds and username styling
  • new color picker for the journal style customization page
  • new CSS wrappers to allow styling of entry cut links

We'll update here once the new code is live!

Flat | Top-Level Comments Only
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

Re: CSS escaping

[staff profile] denise 2023-06-30 03:20 pm (UTC)(link)
That's a security related restriction -- it was put in place because there's a category of exploits that used to be very common on LiveJournal that can happen if you don't clean certain byte strings out of user-generated CSS classes, and the fix for it has to be a little over-cautious and just clean all Unicode. Theoretically, we could probably look into whether we can step back some of the restrictions given the advances in browser technology, but it hasn't been a priority (and is unlikely to be a priority in the future) because of the risk of re-introducing security attack vectors if we aren't extremely careful and we've prioritized other efforts instead.

EDIT: actually nevermind! our security person did do that analysis while I wasn't paying attention and this next code push should reduce the restrictions on Unicode in CSS a lot. Sorry for the bad info!
Edited 2023-06-30 15:31 (UTC)
tennoseremel: (Default)

Re: CSS escaping

[personal profile] tennoseremel 2023-07-01 08:10 am (UTC)(link)

Nice :) Although all of that could probably be less of a problem with BUG #3046: [wish] Consider not inlining custom CSS maybe?

UPD: And, for the record, I meant content: "Unicode string here"; not classes, per se.

Edited (Sorry for the edits :)) 2023-07-01 08:13 (UTC)
momijizukamori: Grey tabby cat with paws on keyboard and mouse. The text reads 'code cat is on the job', lolcats-style (CODE CAT)

Re: CSS escaping

[personal profile] momijizukamori 2023-07-01 04:34 pm (UTC)(link)
You should be good to go on unicode in content values now! The attack pattern it was meant to mitigate is not a thing in modern browsers (apparently it used to be possible to make CSS run JS, which is one of the most cursed things I've heard).
tennoseremel: (Default)

Re: CSS escaping

[personal profile] tennoseremel 2023-07-01 05:46 pm (UTC)(link)

[personal profile] momijizukamori, appears to be working (example: link at the end of the text has “identification card” Unicode character), thank you :)

apparently it used to be possible to make CSS run JS, which is one of the most cursed things I've heard

Ouch. Sounds very cursed indeed.

Flat | Top-Level Comments Only