wasteof.money

Did you know? There are three supported image hosts on wasteof:

but you can actually post images from a 4th host: https://cdn.jsdelivr.net/gh/twitter/[email protected]/assets/72x72/*

it’s the emojis on the site, but you can post them as normal images as well. Here’s an example:

Feb 10, 2024, 2:44 PM

comments

@jeffalo Feb 11, 2024, 11:19 AM

@oren Feb 11, 2024, 12:57 PM

lol

@gamecuber6 Feb 10, 2024, 11:05 PM

i clicked it and it crashed the app (i'm on wasteof for Android)

@oren Feb 11, 2024, 12:58 PM

@micahlt ^

@gamecuber6 Feb 11, 2024, 11:58 PM

how

@oren Feb 11, 2024, 11:59 PM

micahlt makes the android app for wasteof

@gamecuber6 Feb 12, 2024, 12:01 AM

yeah, but for some reason clicking his name in your comment begore this one opens up my browser

@oren Feb 12, 2024, 12:05 AM

It’ll probably come in a future update

@gamecuber6 Feb 12, 2024, 12:00 AM

clicking that user profile link opens my browser (on wasteof for android btw)

@lily Feb 10, 2024, 3:06 PM

oh, i didn’t even realise that. i thought that it would fail (i copied the emojis as rich text accidentally once)

@radi8 Feb 10, 2024, 2:58 PM

i think *.tauon.dev is one too

right @lily?

@lily Feb 10, 2024, 3:04 PM

let me test

@lily Feb 10, 2024, 3:05 PM

nope, it’s not

i think it was going to be, but i couldn’t manage to write a motion jpeg encoder. if i do, i’ll ask jeffalo to add it again.

@oren Feb 10, 2024, 2:54 PM

Sadly, this is not an XSS vector because it’s locked down to the 72×72 path, which only includes PNG images. If someone were to sneak in a malicious SVG into the Twemoji repo, though, you could possibly do it (but that would also hack thousands of other sites at the same time, including Twitter)

@oren Feb 10, 2024, 2:55 PM

I think there’s also some stuff @jeffalo could do to block certain file types, but I’m not sure about that.