BUG WATCH! - If you see a bug report it here!

[Melooon]

the welcome email it's suggested to write a greeting, but the link leads to a board where no

Thanks for the report! This is so weird, I've fixed this bug at least 3 times and somehow that link never goes away, it must be in some other file somewhere

[Dan Q]

I'm moderately confident there's an XSS vulnerability in the code that puts a message in the shoutbox when somebody creates a new thread.

When you create a new thread, the title of that thread gets posted (in a link) to the shoutbox, e.g. "Dan Q created [linked title of post]".

But that title doesn't get escaped, so any HTML code in the post title gets injected directly into the page, via the shoutbox. I haven't tested it, but a Melonlander could (deliberately or accidentally) cause a problem here. Suppose I created a thread with the subject "<script>alert('hi');</script> not working on my site", then I imagine the actual HTML code <script>alert('hi');</script> would get injected into the shoutbox!

We're a closed community, so we're probably moderately-safe (or else I wouldn't announce this in a public thread!), but it's probably still worth fixing! All that's needed is to run the titles through an escape_html(...) -like function before shoutboxing them.

I discovered this by accident when I posted this thread, which has HTML-like code in the subject.

Update: yup, verified by this thread, with which I was able to inject an image into the shoutbox. The limitation on the lengths of subject strings would make an "attack" difficult, but definitely not impossible! See attached screenshot.

[pepper]

This is a very odd issue but whenever I leave the forum page open in a tab and I restart my browser I get pinged notifications for alerts I have already seen and viewed.

This'll be because new alerts get picked up by each tab, but alerts that you click on only trigger an event in the current tab. And your browser is caching the DOM. I guess.
...
Refreshing the page should make them go away (because you've already viewed them).
...

This happens to me frequently, and reloading the page doesn't seem to make it go away completely? I have been getting the same notifications popping up on my OS toasts since Wednesday, across two different PCs/ browsers, even though I do not have any alerts showing on the forum.

Both PCs are Linux Mint, both are up-to-date Firefox. I am having difficulty recreating the problem reliably, but I have been for instance getting notifications about the Wednesday Website guild off and on since Wednesday. Even if I close my browser, then later re-open it, I will sometimes (but not always?) get the same notifications.

For the time being I think I will need to just disable notifications for the forum, which is a shame as I like knowing when threads I'm interested in have activity, I don't like to clutter my email inbox, and I have yet to set up an RSS client. (Maybe I should just set up an RSS client already, but still, this bug ... bugs me ...)

[boreal cryptid]

mobile version of the forum doesn't hide/spoiler users from ignore list :(

[Melooon]

Both PCs are Linux Mint, both are up-to-date Firefox. I am having difficulty recreating the problem reliably

I have noticed this too, almost every time I open the forum on a computer I've not used in a while it will spam all the past notifications since I last used it, even for things I've already viewed on other computers. I don't really know much about how browser notifications work, so I have no idea why that happens! I guess its possible that push notifications are always running in the background, so the browser stacks up notifications quietly, maybe there is some command that should be sent to clear them. If anyone has experience lemmy know, otherwise it'll need some research!

hide/spoiler users from ignore list :(

It could be a chicken and egg situation; but less than 1% of forum members have ever used the ignore feature, so this is prob not a part of the site that's gonna get much time dedicated to it, but I will add it to the list!

[Melooon]

moderately confident there's an XSS

across two different PCs/ browsers, even though I do not have any alerts showing on the forum.

Both these should be fixed now. Alerts are prob still weird, but I'm 99% sure you will only get alerts in one tab now, and I'm 50% sure you wont get alerts showing up across multiple computers/browsers unless both are awake and on the forum at the moment you get an alert. (however its also possible I just broke notifications completely)

Dan your XSS attack path should now be fixed, hope you made some good use of it while you could

[Dan Q]

Dan your XSS attack path should now be fixed, hope you made some good use of it while you could

Ah, give me a few weeks; I'm sure I'll stumble upon another!

[candycanearter07]

Not 100% sure if this is a "bug", per-se, but the RSS feed list does not have an assigned author field for each message. It would be nice to be able to locally filter my own posts out of the feed, just for cleanliness sake. IDK how the feed code is written, and it's fine if not, but it would be handy. Thanks!

[kurohaato]

There seems to be an issue where the font list is getting cut off whenever you make or reply to a post. It's most noticeable with the guilds where the text editor cuts it off at Flavors, but even the normal sized text editor cuts it off at Trash Hand (which I'm sure is annoying for the one person here that knows how to use wingdings). Messing around with inspect element lets me access the other fonts by changing the height of the div with the .sceditor-container class, but it would probably be better if we were able to scroll through the list instead of changing the text editor height. I've attached two screenshots below showing the issue on the normal forum text box and the guilds text box.

[IndigoGolem]

When you multi-quote a message and then pull it up with the quote button that appears, the quote displays behind the sidebar. At least in the default rain-and-flowers theme. This makes some of the buttons inaccessible.

To reproduce: multi quote a message, click the "n Quotes" button in the bottom-left corner of the screen.

[Melooon]

the quote displays behind the sidebar

Thanks for this report, it should now be fixed with a cache clear!

t's fine if not, but it would be handy.

A good suggestion! I think I got it, but lemmy know!

There seems to be an issue where the font list is getting cut off whenever you make or reply to a post

This issue is basically that the editor exists within an iframe so it cant flow out of the editor area, however there are a few editor bugs I'm aware of, so I'll see what I can do as I work on this! A scroll might be do-able.
Fixed!

[arcus]

Guild notes no longer display with Javascript disabled.

The MelonLand Nav overlaps on elements on Netsurf. Minor, but worth noting.

If this post goes through, then the "Save as Draft" button is still bugged.

[Null]

The time offset is messed up, whenever I click the detect button the time it claims that it is is about four hours off, but when I try to fix it manually, the time becomes even less accurate. I have been messing with it for a while but it never seems to work 

[arcus]

It's now possible to browse the forum and reply on Mondays with CSS disabled.

[Dan Q]

The image proxy is definitely broken. This topic first made me suspect, but I've now seen it myself when I tried to add an image to a post from a domain that I know used to work. I typed:

Code

[img width=600 height=450]https://danq.me/_q23u/2026/05/nekodemo-minigif.gif[/img]

And I got:



If you "inspect element" that line you'll see that it's a broken image. The URL it's trying is https://images.melonland.net/?url=https%3A%2F%2Fdanq.me%2F_q23u%2F2026%2F05%2Fnekodemo-minigif.gif&w=1200&fit=inside&we&q=85&il&n=-1&default=1&return=https%3A%2F%2Fforum.melonland.net%2Findex.php%3Faction%3Dpost2%3Bstart%3D240%3Bboard%3D1, which is throwing back a HTTP 403

So yeah: I'm pretty confident it's broken!

I notice that Sneeze images are fine though. If I put:

Code

[img width=600 height=450]https://ftp.melonland.net/Dan_Q/nekodemo-minigif.gif[/img]

I get the (working):



The difference is, of course, that Sneeze images don't get routed through the proxy. So it's definitely the proxy at fault!