Simon Willison’s Weblog

Subscribe

Monday, 2nd August 2021

TIL Search and replace with regular expressions in VS Code — I wanted to replace all instances of this:
2nd Aug 2021, 9:30 pm
Release sqlite-utils 3.14 — Python CLI utility and library for manipulating SQLite databases
2nd Aug 2021, 9:34 pm · sqlite, sqlite-utils
Release sqlite-transform 1.2.1 — Tool for running transformations on columns in a SQLite database
2nd Aug 2021, 10:07 pm

OkCupid had a CSRF vulnerability (via) Good write-up of a (now fixed) CSRF vulnerability on OkCupid. Their site worked by POSTing JSON objects to an API. JSON POSTs are usually protected against CSRF because they can only be sent using fetch() or XMLHttpRequest, which are protected by the same-origin policy. Yan Zhu notes that you can use the enctype="text/plain" attribute on a form (introduced in HTML5) and a crafty hidden input element with name='{"foo":"' value='bar"}' to construct JSON in an off-site form, which enabled CSRF attacks.

# 10:12 pm / csrf, security

Saturday, 31st July 2021
Tuesday, 3rd August 2021

2021 » August

MTWTFSS
      1
2345678
9101112131415
16171819202122
23242526272829
3031