emoji-award-marseywholesome
Unable to load image
Reported by:

im too lazy to test so i need testers for new update --- badge and 1k mbux for each bug u find :marseycapy:

https://devrama.net/?s=

just go to https://devrama.net and make an account and test all functions of the site, and comment here if u find anything broken

the badge in question:

![](https://rdrama.net/i/badges/7.webp?b=6)

devrama features (not a bug):

  • everyone is janny

  • everyone has 1000000 coins and mbux

known bugs (specific to devrama, not worth fixing tbh):

  • The roulette board is missing completely

  • Casino leaderboards are blank and won’t change

merry christmas!

EDIT: apparently this needed be said, if you find a security vulnerability, pls DM me, don't actually use it or comment about it in this thread

125
Jump in the discussion.

No email address required.

it does not

Jump in the discussion.

No email address required.

Thinking about it more, if you have a redirect url or query parameter that redirects on the site without a whitelist you can use the src attribute of the image tag to similiar effect

Jump in the discussion.

No email address required.

we don't have that lol

Jump in the discussion.

No email address required.

<a href={{{any rdrama path here}}}>www.bing.com{{{<}}}/a>

Does work for local link misdirection in the rdrama chat, are you sure there's no jwt/oauth/sso redirect url functionality? Im on my phone (vacation) so i cant check github

Jump in the discussion.

No email address required.

just try it out urself, my neighbor

Jump in the discussion.

No email address required.

One second its dont use the security vulnerability, the next second its use the vulnerability rslur

Smh

Jump in the discussion.

No email address required.

just to clarify for the future, I do want you to try shit out, I just don't want you to expose others to them or make them known publicly until they're fixed, its common sense really, I didnt think i would have to explain it lol

Jump in the discussion.

No email address required.

Yeah fair, but lets not pretend getting users to live test a dev site without understanding the security implications of that is any more ethical than live blogging the pasting of <img src=1 into text fields

Jump in the discussion.

No email address required.

yeah admin-only functions didnt rly get that much scrutiny xss-wise, thats on me

Jump in the discussion.

No email address required.

More comments

just try it in a draft thread lol

Jump in the discussion.

No email address required.

hence why @TwoLargeSnakesMating (rip) GREATLY reduced the scope :marseypedosnipe: of what's allowed to embed. the idea is that we'll allow media :marseyjourno: proxies (but ideally not) but not anything :marseycoleporter: that has an open redirect

Jump in the discussion.

No email address required.

Based and unhackable-pilled

Jump in the discussion.

No email address required.

Link copied to clipboard
Action successful!
Error, please refresh the page and try again.