https://devrama.net/?s=
just go to https://devrama.net and make an account and test all functions of the site, and comment here if u find anything broken
the badge in question:
devrama features (not a bug):
everyone is janny
everyone has 1000000 coins and mbux
known bugs (specific to devrama, not worth fixing tbh):
The roulette board is missing completely
Casino leaderboards are blank and won’t change
merry christmas!
Jump in the discussion.
No email address required.
Though it does let you do html elements, link attacks are maybe possible I guess
Jump in the discussion.
No email address required.
only specific html elements and attributes are allowed
<script> obv isnt
Jump in the discussion.
No email address required.
If href works you can pretend a link is going one place but send them another
Jump in the discussion.
No email address required.
it does not
Jump in the discussion.
No email address required.
Thinking about it more, if you have a redirect url or query parameter that redirects on the site without a whitelist you can use the src attribute of the image tag to similiar effect
Jump in the discussion.
No email address required.
we don't have that lol
Jump in the discussion.
No email address required.
<a href={{{any rdrama path here}}}>www.bing.com{{{<}}}/a>
Does work for local link misdirection in the rdrama chat, are you sure there's no jwt/oauth/sso redirect url functionality? Im on my phone (vacation) so i cant check github
Jump in the discussion.
No email address required.
just try it out urself, my neighbor
Jump in the discussion.
No email address required.
One second its dont use the security vulnerability, the next second its use the vulnerability rslur
Smh
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
hence why @TwoLargeSnakesMating (rip) GREATLY reduced the scope of what's allowed to embed. the idea is that we'll allow media proxies (but ideally not) but not anything that has an open redirect
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Based and unhackable-pilled
Jump in the discussion.
No email address required.
More options
Context
More options
Context
I wouldn't allow any if I were you, always get broken imo
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context