https://devrama.net/?s=
just go to https://devrama.net and make an account and test all functions of the site, and comment here if u find anything broken
the badge in question:
](https://rdrama.net/i/badges/7.webp?b=6)
devrama features (not a bug):
everyone is janny
everyone has 1000000 coins and mbux
known bugs (specific to devrama, not worth fixing tbh):
The roulette board is missing completely
Casino leaderboards are blank and won’t change
merry christmas!
Jump in the discussion.
No email address required.
Similar bug but on drama chat, could be actual XSS vector but im too lazy to check
Jump in the discussion.
No email address required.
chat seems fine to me ?
Jump in the discussion.
No email address required.
Though it does let you do html elements, link attacks are maybe possible I guess
Jump in the discussion.
No email address required.
only specific html elements and attributes are allowed
<script> obv isnt
Jump in the discussion.
No email address required.
If href works you can pretend a link is going one place but send them another
Jump in the discussion.
No email address required.
it does not
Jump in the discussion.
No email address required.
Thinking about it more, if you have a redirect url or query parameter that redirects on the site without a whitelist you can use the src attribute of the image tag to similiar effect
Jump in the discussion.
No email address required.
we don't have that lol
Jump in the discussion.
No email address required.
<a href={{{any rdrama path here}}}>www.bing.com{{{<}}}/a>
Does work for local link misdirection in the rdrama chat, are you sure there's no jwt/oauth/sso redirect url functionality? Im on my phone (vacation) so i cant check github
Jump in the discussion.
No email address required.
More options
Context
More options
Context
hence why
@TwoLargeSnakesMating (rip) GREATLY reduced the scope 
of what's allowed to embed. the idea is that we'll allow media 
proxies (but ideally not) but not anything 
that has an open redirect
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Based and unhackable-pilled
Jump in the discussion.
No email address required.
More options
Context
More options
Context
I wouldn't allow any if I were you, always get broken imo
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
Yeah it stripped the tags, I wasn't exactly putting a lot of effort into blackbox testing from my phone
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Similiar but shadowban reason IS an XSS vector
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
lol not even close
u get nothing
Jump in the discussion.
No email address required.
lol
Jump in the discussion.
No email address required.
More options
Context
Wtf i followed all the rules you set
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
https://devrama.net/log
Jump in the discussion.
No email address required.
Im not gonna click that lmao
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
Most comment previews allow you to xss yourself, its not really exploitable unless you manage to get it to execute after posting. Not sure if the jannies consider it a real vuln.
Jump in the discussion.
No email address required.
it isn't a vulnerability if you're only attacking yourself
you can also write
a file that is 
open it to get the same effect
<html><body><script>alert('whatever');</script></body></html>, save it as xss.html and thenJump in the discussion.
No email address required.
More options
Context
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context