My browser / operating system: Windows NT 10.0, Chrome 106.0.0.0, No Flash version detecteda

A combination of any quote, double or single, the tilde, and a slash, so either "~/ and '~/, result in the quote and https://cdn.scratch.mit.edu/scratchr2/static/__9209616f20ac7fc52efa806cd216a370__//djangobb_forum/js/markitup/ when using the post preview.

• This doesn't work when the smart quotes happen: “~/ ” shows as expected (and so does ‘~/ ’.)
  
• This works in code blocks also.
  
• This seems to not care about the BBCode, as "~[]/ looks like that link too (and so does "~[anything invalid]/).
  
• The link caused by the combination is not clickable.
  
• This doesn't happen with syntax highlighting:
  

  print("~/")
  

  That doesn't require actually being highlighted:
  

  @echo "~/
  @echo "~/"
  

  In both of these code blocks this effect occurs.
  

can replicate, this is definitely a bug, and may require a lot more attention

Chiroyce wrote:

(#2)
can replicate, this is definitely a bug, and may require a lot more attention

Yeah, the cause of this could be harmless or pretty severe. We'll see.

The exact character combination that causes the replacement is "~/, which results in
. Also, it works outside of code tags too:

EDIT: It also works with apostrophes (ignore the extension):

CST1229 wrote:

(#4)
The exact character combination that causes the replacement is "~/, which results in

"https://cdn.scratch.mit.edu/scratchr2/static/__9209616f20ac7fc52efa806cd216a370__//djangobb_forum/js/markitup/

. Also, it works outside of code tags too:
https://assets.scratch.mit.edu/get_image/.%2E/2199f66fc7af9496b01dbca5f8542db2.png
EDIT: It also works with apostrophes (ignore the extension):
https://assets.scratch.mit.edu/get_image/.%2E/e2d4f97d0ca66eaacbbd8537ac77fef2.png

Thank you, added that information to the post, as well as something I found while adding that.

My browser / operating system: MacOS Macintosh 12.4, Safari 15.5, No Flash version detected
Can replicate

'~/

My browser / operating system: MacOS Macintosh X 10.11.6, Chrome 102.0.0.0, No Flash version detected

Can replicate

Oh no.

That's a relative path. You can do wacky things like this:

'~/../../img/smilies/smile.png

Could this lead to XSS or something?

kccuber wrote:

Oh no.

That's a relative path. You can do wacky things like this:

'~/../../img/smilies/smile.png

Could this lead to XSS or something?

it only works when there's an apostrophe/quote behind it

kccuber wrote:

Oh no.

That's a relative path. You can do wacky things like this:

'~/../../img/smilies/smile.png

Could this lead to XSS or something?

It's probably just a typo in a RegExp somewhere, so probably not. It's just a harmless non-clickable url.

Does anyone know why the resource at that URL redirects you to the old cdn's 8080 port and doesn't use the standard 80 or 443?

Bump, still works

'~/ can replicate, that's just so weird for the forums to do that.


My browser / operating system: ChromeOS 14909.100.0, Chrome 104.0.0.0, No Flash version detected

Bump, still applies

This doesn't happen with syntax highlighting:

"~/ '~/ nothing happened

Purvitekriwal wrote:

(#15)
"~/ '~/ nothing happened

Huh, that's weird. Did you click on the check mark?

bump

mybearworld wrote:

Purvitekriwal wrote:

(#15)
"~/ '~/ nothing happened

Huh, that's weird. Did you click on the check mark?

Yes

That's weird. So it doesn't look like this:

mybearworld wrote:

That's weird. So it doesn't look like this:

Not for me. I will try using my other device