If you are wondering where the data of this site comes from, please visit GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Michael Koppmann mkoppmann SBA Research (@sbaresearch) Austria Penetration Tester; Security Enthusiast; FP Apprentice

mkoppmann/sbox-backend 2

Proof of concept code for a bachelor’s thesis project. This is the backend part.

mkoppmann/sbox-frontend 2

Proof of concept code for a bachelor’s thesis project. This is the frontend part.

mkoppmann/adventofcode-haskell 0

My Advent of Code solutions in Haskell

mkoppmann/sqlite-simple 0

Mid-level bindings for sqlite

mkoppmann/website 0

My personal website

mkoppmann/wtcvss 0

A CVSSv3 random vector generator in Elm.


started time in 8 days


started time in 18 days


started time in 18 days

issue openedelm/virtual-dom

`</script>` breaks Elm

The Elm runtime crashes when </script> is used. Other XSS examples are correctly encoded.

Minimal example:

import Html exposing (text)
main = text "</script>"



  var app = Elm.Main.init({ node: document.getElementById("elm") });
catch (e)
  // display initialization errors (e.g. bad flags, infinite recursion)
  var header = document.createElement("h1"); = "monospace";
  header.innerText = "Initialization Error";
  var pre = document.getElementById("elm");
  document.body.insertBefore(header, pre);
  pre.innerText = e;
  throw e;

Working example:

import Html exposing (text)
main =  text "<a href=\"javascript://%0Aalert('XSS');\">XSS</a>"

Result (correctly encoded):

<a href="javascript://%0Aalert('XSS');">XSS</a>

This happens in the Elm Playground, with elm reactor or builds created by elm make.

User input is also correctly encoded. This happens only for </script> when it’s used at compile-time.

created time in 24 days