profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/mkoppmann/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Michael Koppmann mkoppmann SBA Research (@sbaresearch) Austria https://www.mkoppmann.at Penetration Tester; Security Enthusiast; FP Apprentice

mkoppmann/sbox-backend 2

Proof of concept code for a bachelor’s thesis project. This is the backend part.

mkoppmann/sbox-frontend 2

Proof of concept code for a bachelor’s thesis project. This is the frontend part.

mkoppmann/adventofcode-haskell 0

My Advent of Code solutions in Haskell

mkoppmann/sqlite-simple 0

Mid-level bindings for sqlite

mkoppmann/website 0

My personal website

mkoppmann/wtcvss 0

A CVSSv3 random vector generator in Elm.

startedendojs/endo

started time in 8 days

startedocapn/ocapn

started time in 18 days

startedtc39/proposal-realms

started time in 18 days

issue openedelm/virtual-dom

`</script>` breaks Elm

The Elm runtime crashes when </script> is used. Other XSS examples are correctly encoded.

Minimal example:

import Html exposing (text)
main = text "</script>"

Result:

_Platform_export({'Main':{'init':_VirtualDom_init($author$project$Main$main)(0)(0)}});}(this));

  var app = Elm.Main.init({ node: document.getElementById("elm") });
}
catch (e)
{
  // display initialization errors (e.g. bad flags, infinite recursion)
  var header = document.createElement("h1");
  header.style.fontFamily = "monospace";
  header.innerText = "Initialization Error";
  var pre = document.getElementById("elm");
  document.body.insertBefore(header, pre);
  pre.innerText = e;
  throw e;
}

Working example:

import Html exposing (text)
main =  text "<a href=\"javascript://%0Aalert('XSS');\">XSS</a>"

Result (correctly encoded):

<a href="javascript://%0Aalert('XSS');">XSS</a>

This happens in the Elm Playground, with elm reactor or builds created by elm make.

User input is also correctly encoded. This happens only for </script> when it’s used at compile-time.

created time in 24 days