Content-Disposition の filename という地雷。 (1個の観点で17個の脆弱性を見つけた話) - ぶるーたるごぶりん
English ver: https://gist.github.com/motoyasu-saburi/1b19ef18e96776fe90ba1b9f910fa714#file-lack_escape_content-disposition_filename-md TL;DR 1つのブラウザ、1つのプログラミング言語、15個の { Web Framework, HTTP Client ライブラリ, Email ライブラリ / Web Service 等} で脆弱性を見つけました。 見つけた脆弱性は、全て 1つの観点で発見した (多分 50-80 くらいのプロダクトの調査をした)。 RFC の記載では、(かなりわかりにくく)この問題に対する要件が記載されており、WHATWG > HTML Spec の方はしっかりと書かれているといった状況にある。 この問題は、 Content-Dispo
Vjeux » Birth of Prettier
React Conf is around the corner and it's been almost 10 years since Prettier was released. I figured it would be a good time to recount the journey from its early days to now. This is the story of how the "Space vs Tabs Holy War" ended, not through one side winning over the other but instead a technological invention making it the underlying source of tensions no longer being a thing. Back Story S
Syntax Highlighting in Hand-Coded Websites The problem I have been trying to identify practical reasons why hand-coding websites with HTML and CSS is so hard (by hand-coding, I mean not relying on frameworks, generators or 3rd party scripts that modify the DOM). Let's say, I want to make a blog. What are the actual things that prevent me from making—and maintaining—it by hand? What would it take t
KDL is a small, pleasant document language with XML-like node semantics that looks like you're invoking a bunch of CLI commands! It's meant to be used both as a serialization format and a configuration language, much like JSON, YAML, or XML. It looks like this: package { name my-pkg version "1.2.3" dependencies { // Nodes can have standalone values as well as // key/value pairs. lodash "^3.2.1" op
Delimiter-first code
Summary I argue for wider usage of delimiter-first in the code three friends [tic, tac, toe] becomes three friends ・tic ・tac ・toe. A new top-level syntax for programming languages is proposed to show advantages of this method. New syntax is arguably as simple, but more consistent, better preserves visual structure and solves some issues in code formatting. Related: comma-first formatting A well-kn
Update 1.97.1: The update addresses these security issues. Update 1.97.2: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the January 2025 release of Visual Studio Code. There are many updates in this version that we hope you'll like, some of the key highlights include: Next Edit Suggestions (preview) - Co
PowerShell: the object-oriented shell you didn’t know you needed | Chris Warrick
PowerShell is an interactive shell and scripting language from Microsoft. It’s object-oriented — and that’s not just a buzzword, that’s a big difference to how the standard Unix shells work. And it is actually usable as an interactive shell. Getting Started PowerShell is so nice, Microsoft made it twice. Specifically, there concurrently exist two products named PowerShell: Windows PowerShell (5.1)
Tier 4 Support § Support for these targets is entirely experimental. If this target is provided by LLVM, LLVM may have the target as an experimental target, which means that you need to use Zig-provided binaries for the target to be available, or build LLVM from source with special configure flags. zig targets will display the target if it is available. This target may be considered deprecated by
I’m a fairly frequent Hacker News lurker, especially when I have some other important task that I’m avoiding. I normally head to the Active page (lots of comments, good for procrastination) and pick a nice long discussion thread to browse. So over time I’ve ended up with a good sense of what topics come up a lot. “The Bay Area is too expensive.” “There are too many JavaScript frameworks.” “Bootcam
Try Mastering Emacs for free! Are you struggling with the basics? Have you mastered movement and editing yet? When you have read Mastering Emacs you will understand Emacs. It’s that time again: there’s a new major version of Emacs and, with it, a treasure trove of new features and changes. Notable features include the formal inclusion of native compilation, a technique that will greatly speed up y
Motivation Ever since TJ said “Personalized Development Environment,” the phrase latched onto me like a cobweb in a mineshaft. A Personalized Development Environment (PDE) describes an ideal setup that is tailored to your needs and preferences – it lies between a bare-bone text editor and a full-fledged IDE. It is a place where you can be productive, efficient, and comfortable. It is a place that
Here's a classic Python quine to demonstrate the self-reproducing behavior: s = 's = %r\nprint(s %% s)' print(s % s) s holds a string that is almost the whole program, including the placeholder %r, which formats via repr(). The print(s % s) uses Python's old C-style %-formatting. Important notes about the characters inside s: %r is a placeholder: it tells Python to insert the repr() of the argumen
Introduction: These Aren’t the JSONs You’re Looking For JSON (JavaScript Object Notation) was designed as a simple, lightweight, and human-readable data interchange format, often positioned as a more accessible alternative to XML. It has become the de facto standard for web APIs and system integration. However, while the specification itself is straightforward, different programming languages and
Accepted at ICLR 2026 (Oral). GEPA: REFLECTIVE PROMPT EVOLUTION CAN OUTPER- FORM REINFORCEMENT LEARNING Lakshya A Agrawal1 , Shangyin Tan1 , Dilara Soylu2 , Noah Ziems4 , Rishi Khare1 , Krista Opsahl-Ong5 , Arnav Singhvi2,5 , Herumb Shandilya2 , Michael J Ryan2 , Meng Jiang4 , Christopher Potts2 , Koushik Sen1 , Alexandros G. Dimakis1,3 , Ion Stoica1 , Dan Klein1 , Matei Zaharia1,5 , Omar Khattab6
HTML Whitespace is Broken September 2, 2024Recently, I was working on a project which required a deeper understanding of how whitespace works in HTML. I was never a fan of HTML's whitespace behavior before as I've been burned by it a few times. But as I dug into it more deeply, I found myself discovering complex design issues that I wanted to explore in a blog post. This is partially to write down
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
Font with Built-In Syntax Highlighting
The KDL Document Language
January 2025 (version 1.97)
0.10.0 Release Notes ⚡ The Zig Programming Language
Hacker News folk wisdom on visual programming
What's New in Emacs 28.1?
An Experienced (Neo)Vimmer's Workflow
That Time Ken Thompson Wrote a Backdoor into the C Compiler
JSON is not JSON Across Languages | Dochia CLI Blog
GEPA: Reflective Prompt Evolution Can Outperform Reinforcement Learning
HTML Whitespace is Broken - Devel without a Cause