ryt / github-renderer Goto Github PK
View Code? Open in Web Editor NEWRenders .html pages from github repositories for instant viewing.
Renders .html pages from github repositories for instant viewing.
I believe that XSS is a huge problem with this bookmarklet. Although the JS files might be loaded from raw.github.com, they're still executed in the github.com context.
I forked the repo and edited example.html to provide a proof of concept. Just run the githtml bookmarklet on this page:
https://github.com/dergachev/githtml/blob/master/example.html
Note: my XSS code is fairly harmless, as it just alerts your github username.
But it could have just as easily deleted your github acount, so read it first before using this bookmarklet.
I'm not exactly sure how one could re-architect the bookmarklet to avoid this. Perhaps via iframe src="https://raw.github.com/.../example.html", though I really haven't thought this through.
At the very least, you should warn people very clearly that by running this bookmarklet on an HTML page uploaded to github.com, they're willing to trust it not to steal their github credentials.
(Aside from this, I think this bookmarklet is a really useful idea! I guess you might modify it to work with gists too)
Chrome extensions have content scripts which can be restricted to inject js/css on
a particular domain. A bookmarklet is great, but it would be cool to have this automagically
work with the extension installed.
http://code.google.com/chrome/extensions/content_scripts.html
Because it only seems to work when that's the case.
My quasi-related HN comment: http://news.ycombinator.com/item?id=4198300
There are some additions to the extension source code that would be good. To name a few.
chrome.min.js
directly inside the extension instead of importing it from github.If you've forked this repo, please update your bookmark or your fork.
Previously, some pages, such as bootrap and backbone.js, were deformed in the rendered view. This bug has now been fixed and they should all render correctly.
This extension does pose some serious XSS threats against your Github account. If you open an html file that includes some malicious javascript, your entire account could be compromised. Dangerous if you're responsible for a large repo. This could possibly alter the code of a project which again could lead to someone git cloning malware.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.