Fixing My Site
Seems like you're on mobile... Some of the images are going to be a bit hard to read for you...
Are you leaking my hidden comments in developer tools??!! Well not anymore! Take that black hats! >:)
I put out a small patch that stops the site from loading hidden comments today, and felt it was interesting enough to write about. I first realized there might've been a problem while thinking about adding a password-protected admin page. Because something like loading the page and just unhiding it after entering a password would allow someone to just inspect element the page and see everything in HTML, I started brainstorming ways to tie loading the page to some sort of trigger, like entering the correct password. But then, I realized I might have this issue with comments too, since I load them all initially, and just selectively filter and hide them on each page.
And after checking the network tab in developer tools, I found this:
ヽ(´Д`* )ノヽ(´Д`* )ノヽ(´Д`* )ノ
This was happening because I was querying every comment from my database, with no filters. As a result, even the hidden comments are in the request. But, the fix was obvious.
There we go! Now I only get comments that aren't hidden in the request.
All those years of CTFs paid off, I guess.
Hopefully I didn't just give someone the info to backdoor my site...
Thanks for reading!! You guys should all subscribe!! You'll get emails when I put out something new, and extra fun stuff as well. This time subscribers got to see some of the hidden comments.