Hacker Newsnew | past | comments | ask | show | jobs | submit | modinfo's commentslogin

AI catching ripples that been hidden for years Got sensors in the water reading stories in the waves Every victim that we find is another soul we save International coalition, this the global grind Bodies tell their secrets when the science intervene


Cursor build a pseudo-sethtml: https://github.com/skorotkiewicz/pseudo-sethtml


This code only does the most basic and naive regex filtering that even a beginner XSS course's inputs would work against. With the Node example code and input string:

  <p>Hello <scr<script>ipt>alert(1)</scr<script>ipt> World</p>
The program outputs:

  $ node .
  <p>Hello <script>alert(1)</script> World</p>
  {
    sanitizedHTML: '<p>Hello <script>alert(1)</script> World</p>',
    wasModified: true,
    removedElements: [],
    removedAttributes: []
  }
Asking a chatbot to make a security function and then posting it for others to use without even reviewing it is not only disrespectful, but dangerous and grossly negligent. Please take this down.


I wonder why Cursor chose regex approach when it is widely known that it is a wrong method. Is it a result of training on low-quality forums for beginners?


It doesn't really matter, but if you ask it the exact same prompt it will give different results everytime. And if you don't know how to write one properly yourself, you really shouldn't be blindly trusting Ai to produce something correctly. But these are the source of all future employment of developers and engineers who actually know things.


It does seem like a weirdly bad result. I got something more sensible that used DOMParser when I gave GPT-5 the following prompt:

> Write a JavaScript function for sanitizing arbitrary untrusted HTML input before setting a DOM element’s innerHTML attribute.

I won’t post it here in case someone tries to use it, but it wasn’t just doing regex munging.


  node.ts:52: const regex = new RegExp(`<\\/?${tag}[^>]*>`, "gi");
  node.ts:72: const regex = new RegExp(`\\s+${attr}\\s*=\\s*["'][^"']*["']`, "gi");
  node.ts:94: const tagRegex = /<(\w+)[^>]*>/g;
https://stackoverflow.com/questions/1732348/regex-match-open...

LLMs are not intelligent enough to figure that the post is non-satirical and you should indeed avoid parsing HTML with regexes.

On the other hand, there is a non-zero chance that a vibe coded HTML parser will eventually include obscure references to ritual infanticide and other eldritch entities of the Basic Multilingual Plane.


Thanks for reminding me that I always wanted to create an alternative to JSON/YAML, so after your post, I got down to work, and this is what came out: https://vzparse.xyz/


No. It works for me.

64 bytes from lhr35s10-in-f14.1e100.net (216.58.206.46): icmp_seq=1 ttl=110 time=47.9 ms


I can ping it too but get 502 errors on google.com and youtube.com


Google and YT works for me just fine: https://www.youtube.com/watch?v=lo4bA4p3MBQ

Maybe depends on region


PING google.com (172.217.17.142): 56 data bytes

Request timeout for icmp_seq 0

Request timeout for icmp_seq 1

Request timeout for icmp_seq 2


My bookmark manager lightweight for organizing, storing, and managing your bookmarks with an intuitive user interface.

https://github.com/skorotkiewicz/bookmarks


A year ago I used this server for my friends, then it was called oragono. I really recommend it.


My Cheat for console

function i(t){const e=t.dataset.synsetid;const o=t.textContent.trim();if(!o.endsWith(`(${e})`)){t.textContent=`${o} (${e})`}}function t(){const t=document.querySelectorAll('div[data-game-target="word"]');t.forEach(i)}t();const e=function(e,t){for(let t of e){if(t.type==="childList"){t.addedNodes.forEach(t=>{if(t.nodeType===Node.ELEMENT_NODE){if(t.matches&&t.matches('div[data-game-target="word"]')){i(t)}}else if(t.nodeType===Node.TEXT_NODE){const e=t.parentElement;if(e&&e.matches&&e.matches('div[data-game-target="word"]')){i(e)}}if(t.querySelectorAll){const o=t.querySelectorAll('div[data-game-target="word"]');o.forEach(i)}})}}};const o=new MutationObserver(e);o.observe(document.body,{childList:true,subtree:true});


Thanks! Will have to see what I can do about it to prevent it.

Is your nickname "aptitude"?


Btw, I wish you shared this privately with me.


What for? Are you trying to make the rankings of this somewhat serious? Are you aware that even with this patched, it remains trivial to build an user script that automatically replaces the flag with the country name? Probably within half an hour you could have a script that also plays the game for you! This feels a lot like how NFT owners wanted people not to be able to right-click and save their "property". This is how the internet works, you can run stuff on your machine that does absolutely anything with the data that is sent to it. Sure, you could choose to fight back. You could move from emojis to images of flags with random filters and distortions applied, or implement some click tracker that checks if the mouse/finger movement is natural, or even something more complex and effective. But the question is: should you? Should you really destroy the beautiful simplicity of this game in order to make the leader boards more accurate? And does anyone really care about the leader boards?


> Are you aware that even with this patched, it remains trivial to build an user script

Copy-pasting code feels even more trivial. Writing a script requires some effort.

It feels unfair to people who are not tech-savvy.

Sharing something like this in private is being friendly to me and letting me know that this kind of stuff possible. Honestly, I knew it wasn't bullet-proof, but I simply didn't have the time and brain capacity to envision all of the possible attack vectors.

Sharing this in public is helping others ruin the experience easier.


Video: https://www.youtube.com/watch?v=qiOtinFFfk8


For those interested in specific models, here are a few popular choices among professionals:

    Shure PSM900/PSM1000: Known for their excellent sound quality and reliability. The PSM1000, in particular, offers advanced features like networkability and precision RF performance.

    Sennheiser EW IEM G4: A solid choice with a good balance of performance and affordability. It's widely used in live performances for its robust construction and reliable signal.

    Audio-Technica M3: Offers great value for money, providing clear sound and a sturdy build. It's a popular choice for those looking to enter the professional IEM market without breaking the bank.

    Ultimate Ears UE 11 Pro: Custom-molded for the perfect fit and excellent sound isolation. These are highly regarded among top-tier musicians for their superior audio quality.


Exactly, I am also following this post


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: