Something for possible implementation...

Started by PipeBox, May 01, 2009, 01:27:51 AM

Previous topic - Next topic

PipeBox

This site could use a godawful easter egg, imho.  With that in mind, and in the spirit of the Invisible Pink Unicorn, I offer up this.

For a quick preview, just use the konami code on that page and press whatever keys you want, so: up up down down left right left right b a blah blah blah blah blah blah blah.
If sin may be committed through inaction, God never stopped.

My soul, do not seek eternal life, but exhaust the realm of the possible.
-- Pindar

Whitney


AlP

I could write a godawful HAF easter egg if people are interested in wasting their time in this way. I know I am. I'm a professional programmer you know! =) I would need help with the godawful graphics. What do you think Whitney? How about a key combination that turns all the smilies on a page into some alternative (and hilariously amusing) animated gif? It would only be visible to the person who did it and only until they go to another page.
"I rebel -- therefore we exist." - Camus

karadan

That. Is. Amazing.

Thanks Pipebox! :D

My whole office is now trying to find other sites with that easter egg. I'll let you know if we find any others.
QuoteI find it mistifying that in this age of information, some people still deny the scientific history of our existence.

rlrose328

SO COOL!  I love those types of things!  Hubby, also a professional programmer, is shaking his head.  LOL!   :banna:
**Kerri**
The Rogue Atheist Scrapbooker
Come visit me on Facebook!


PipeBox

Heh, ESPN had it the other day until the internets caught on.  The webmaster said he didn't put it in there (he obviously did), but that he had to take it down because it was being blogged so widely.   :D

Here's a pic from before they "fixed" it.
http://imgur.com/Efy.jpg
If sin may be committed through inaction, God never stopped.

My soul, do not seek eternal life, but exhaust the realm of the possible.
-- Pindar

Whitney

Quote from: "AlP"I could write a godawful HAF easter egg if people are interested in wasting their time in this way. I know I am. I'm a professional programmer you know! =) I would need help with the godawful graphics. What do you think Whitney? How about a key combination that turns all the smilies on a page into some alternative (and hilariously amusing) animated gif? It would only be visible to the person who did it and only until they go to another page.

That would be funny...but would doing something like that create security holes for the hackers?

PipeBox

Only if they had already compromised it.  It's just a javascript running on your end and the compiled java code server side doing all the fun stuff in the case of cornify.  The code that calls the JS is Jquery, but again, that's only functions on the client end.  There's really no way to abuse this, but I'll run it by my brother who's an admin on three different boards does this stuff for money (been meaning to learn, myself, as it's a nice supplemental income).

I suspect AlP will say the same.   :D
If sin may be committed through inaction, God never stopped.

My soul, do not seek eternal life, but exhaust the realm of the possible.
-- Pindar

PipeBox

#8
Kiros, former admin from virtualteen.org, coder and modmaker on the vbulletin boards, administrator at milsurps.com and thesocialrev.com informs me it's totally safe for your server, Whitney.  He also recommends you buy a $5 flash chat, or call for donations and get the $180 Vbulletin so he can assist you, but that's just because he wants another recommendation under his belt for when he moves into the the commercial sector.   :P

*edit to fix bad website name*
If sin may be committed through inaction, God never stopped.

My soul, do not seek eternal life, but exhaust the realm of the possible.
-- Pindar

Kiros

#9
Mhmm. I've looked at the code, and I cannot find anything harmful or exploitable within it. It's client-side JavaScript that loads a remote JavaScript package whenever the correct keys are pressed. So after your server gives the code (serves the web page) to the user, there is no more interaction between the server and client. There's no exploitable tunnel or anything.

Also, please consider jumping to vBulletin. I know that it cost money, but if you open donations, you may be able to buy an owned license fairly easily. If 20 people donate about $10 each, that would give you enough to get vBulletin and FlashChat (an integrated chat room). The only reason that I'm suggesting it is because I'm a vBulletin coder and I could assist you free-of-charge if you ever need board tech support.

But I digress. My brother is correct. There's no room for exploits here; not in the code that PipeBox is suggesting. phpBB has more exploitable code than this bit of JavaScript. However, I'm not sure about AlP's code since there isn't any code yet :P
Kiros || Ben

Happiness is not about being perfect.
It is about seeing beyond the imperfections.

Whitney

I don't see why I should pay for vbulletin when things like  phpbb and smf are free.  Not to mention that making the switch would be a pain in the ass that I don't have time for.

Kiros

Right, right. It's just a suggestion. In my opinion, it's worth the money. Some basic features are compared here: http://www.forummatrix.org/compare/phpBB+vBulletin

However, the best part about vBulletin is the logic of the software. The way that it uses the templates and plugins makes it very easy to work with and modify. Anyway, it's just an off-topic suggestion.

The fact of the matter is, the Easter Egg JavaScript that PipeBox found looks pretty good and shouldn't be exploitable.
Kiros || Ben

Happiness is not about being perfect.
It is about seeing beyond the imperfections.

AlP

It lives!

An example of my proposed HAF easter egg is here. Apologies for the text ads at the bottom. I used a free web host. It's just a functional demo that demonstrates what it does. You type "happysmilies" and it turns the smilies into a different image (in this case of the flying spaghetti monster). I don't believe there are any security issues. No code runs on the server. It's completely client side. The code does not access cookies. It does not execute any third party JavaScript code. It doesn't allow users to inject JavaScript code. It modifies the DOM but not by changing the HTML (it doesn't change the innerHTML property, which is dangerous). I see no means of exploiting it for an XSS or XSRF attack. If anyone wants to review the code, it's here.

I'm running in Solaris at the moment so I can only test in Firefox. Can someone check to see if it works in Internet Explorer, Chrome and Safari?

Now who's got a hilariously amusing animated gif to replace the smilies with?

 :D
"I rebel -- therefore we exist." - Camus

curiosityandthecat

Quote from: "AlP"Now who's got a hilariously amusing animated gif to replace the smilies with?

 :D
-Curio

AlP

Quote from: "curiosityandthecat":D
I think this must be the first time you've replied to a post without an amusing animated GIF!

I've got this working in Internet Explorer, Chrome and Firefox now. I've also added a "chase the mouse cursor" feature. Click the flying spaghetti monster and he'll follow you around.

Any suggestions?
"I rebel -- therefore we exist." - Camus