Redirection vulnerability

[imscary]

Like in #367 but combined with XSS. CSP doesn't block it.
https://dweet.dwitter.net/id/13734 will redirect to Google

</script>
<script>
window.location.replace("http://www.google.com")
</script>
<script>

[lionleaf]

Nice find!

However, this is taken care of by the iframe-src CSP. It doesn't work when you view the dweet in the feed or a normal dweet view: https://www.dwitter.net/d/13734 (at least in my browser)

dweet.dwitter.net is never meant to be viewed directly, so as long as it only affects direct viewing I don't think this is a problem in practice.

[imscary]

Still can be used as a free redirection hosting from a https source. It can be used at creating phishing attacks.

[lionleaf]

That's a fair point. It's not really a critical bug, but it's unfortunate that people can send real dwitter links that then redirects.

If there's a simple fix I'd be happy to implement it, but I'm not too worried.

[imscary]

There are similar attacks on the same method. It would be better if we block dweets that contain </script> or javascript: or </SCRIPT> or //<</
That's what I did to golf512.dx.am because I allow external resources and it works perfect now.

[lionleaf]

</script> isn't the problem here. Works just as well without it, you just need to make sure it doesn't start paused: https://dweet.dwitter.net/id/13998?autoplay=1

I'm skeptic of doing any sort of scanning of the dweet code, since javascript has so many ways to get around simple filters.