Skip to content

Instantly share code, notes, and snippets.

@lcfr-eth
Created April 15, 2025 17:58
Show Gist options
  • Select an option

  • Save lcfr-eth/7dca545c30adfad673904013c7b6f942 to your computer and use it in GitHub Desktop.

Select an option

Save lcfr-eth/7dca545c30adfad673904013c7b6f942 to your computer and use it in GitHub Desktop.
4chan semgrep
┌───────────────────┐
│ 371 Code Findings │
└───────────────────┘
admin-test.php
❯❯❱ php.lang.security.exec-use.exec-use
Executing non-constant commands. This can lead to command injection.
Details: https://sg.run/5Q1j
71┆ exec( $cmd );
❯❯❱ php.lang.security.injection.tainted-sql-string.tainted-sql-string
User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL
strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL
strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate
data from the database. Instead, use prepared statements (`$mysqli->prepare("INSERT INTO test(id,
label) VALUES (?, ?)");`) or a safe library.
Details: https://sg.run/lZYG
382┆ $query = mysql_board_call("SELECT no, host FROM `" . SQLLOG . "` WHERE resto = $no AND
host != '$op_host' GROUP BY host");
❯❱ php.lang.security.unlink-use.unlink-use
Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor
could use this to modify or access files they have no right to.
Details: https://sg.run/rYeR
579┆ unlink(IMG_DIR . "$filename") or print "Couldn't delete!<br>";
⋮┆----------------------------------------
589┆ unlink(THUMB_DIR . "$filename") or print "Couldn't delete!<br>";
⋮┆----------------------------------------
598┆ unlink( RES_DIR . "$filename" ) or print "Couldn't delete!<br>";
⋮┆----------------------------------------
662┆ unlink( $filename ) or print "Couldn't delete!<br>";
❯❯❱ php.lang.security.exec-use.exec-use
Executing non-constant commands. This can lead to command injection.
Details: https://sg.run/5Q1j
668┆ exec( "find $phptmp/ -mtime +2h -name php*", $tmpfiles );
⋮┆----------------------------------------
669┆ exec( "find -E " . INDEX_DIR . " -regex '.*/(gz)?tmp.*$' -mtime +2h", $indextmp );
⋮┆----------------------------------------
670┆ exec( "find -E " . RES_DIR . " -regex '.*/(gz)?tmp.*$' -mtime +2h", $restmp );
❯❱ php.lang.security.unlink-use.unlink-use
Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor
could use this to modify or access files they have no right to.
Details: https://sg.run/rYeR
680┆ unlink( $filename ) or print "Couldn't delete!<br>";
⋮┆----------------------------------------
1352┆ unlink($dest);
❯❯❱ php.lang.security.injection.tainted-sql-string.tainted-sql-string
User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL
strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL
strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate
data from the database. Instead, use prepared statements (`$mysqli->prepare("INSERT INTO test(id,
label) VALUES (?, ?)");`) or a safe library.
Details: https://sg.run/lZYG
1565┆ $query = "UPDATE reports SET cleared = 1, cleared_by = '%s' WHERE board = '%s' AND no =
$pid";
⋮┆----------------------------------------
1573┆ $query = <<<SQL
1574┆ UPDATE reports_for_posts
1575┆ SET cleared = 1, clearedby = '%s'
1576┆ WHERE board = '%s' AND postid = $pid
1577┆ SQL;
❯❱ php.lang.security.unlink-use.unlink-use
Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor
could use this to modify or access files they have no right to.
Details: https://sg.run/rYeR
1686┆ unlink( $delfile ); //delete
⋮┆----------------------------------------
1687┆ unlink( THUMB_DIR . $tim . 's.jpg' ); //delete
⋮┆----------------------------------------
1704┆ unlink( $delfile ); //Delete
⋮┆----------------------------------------
1705┆ unlink( THUMB_DIR . $tim . 's.jpg' ); //Delete
❯❯❱ php.lang.security.injection.tainted-sql-string.tainted-sql-string
User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL
strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL
strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate
data from the database. Instead, use prepared statements (`$mysqli->prepare("INSERT INTO test(id,
label) VALUES (?, ?)");`) or a safe library.
Details: https://sg.run/lZYG
1715┆ mysql_global_do( "INSERT INTO " . SQLLOGDEL . "
(imgonly,postno,resto,board,name,sub,com,img,filename,admin,admin_ip)
values('$imgonly','$no',$resto,'" . SQLLOG .
"','$adname','$sub','$com','$adfsize','$filename$ext','$auser', '" .
mysql_real_escape_string($_SERVER['REMOTE_ADDR']) . "')" ); // FIXME do all this in one
insert outside the write lock
⋮┆----------------------------------------
1777┆ if( !$result = mysql_board_call( "(SELECT child.*,parent.root proot from `" . SQLLOG . "`
child LEFT OUTER JOIN `" . SQLLOG . "` parent ON child.resto=parent.no) UNION (SELECT
*,root proot from `" . SQLLOG . "` parent WHERE resto=0) ORDER BY proot DESC, no ASC LIMIT
" . $from . ", " . $max_results ) ) {
⋮┆----------------------------------------
1782┆ if( !$result = mysql_board_call( "select * FROM `" . SQLLOG . $resq . " order BY no DESC
LIMIT " . $from . ", " . $max_results ) ) {
❯❯❱ php.lang.security.deserialization.extract-user-data
Do not call 'extract()' on user-controllable data. If you must, then you must also provide the
EXTR_SKIP flag to prevent overwriting existing variables.
Details: https://sg.run/6bv1
1791┆ extract( $row, EXTR_OVERWRITE );
❯❱ php.lang.security.unlink-use.unlink-use
Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor
could use this to modify or access files they have no right to.
Details: https://sg.run/rYeR
2100┆ @unlink( $file );
❯❯❱ generic.secrets.security.detected-generic-secret.detected-generic-secret
Generic Secret detected
Details: https://sg.run/l2o5
2667┆ $secret =
'BusEFdduVhgVKIMAx1ndhvzrgMyA5uCcfRnvIKq4+0X2vL8elzf6wHZCpWS9fsTsNG/XdlwiIBV68hzlGm6sGQ=='
;
❯❯❱ php.lang.security.injection.tainted-sql-string.tainted-sql-string
User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL
strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL
strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate
data from the database. Instead, use prepared statements (`$mysqli->prepare("INSERT INTO test(id,
label) VALUES (?, ?)");`) or a safe library.
Details: https://sg.run/lZYG
2968┆ if( !$result = mysql_board_call( "UPDATE `" . SQLLOG . "` SET root=root,com=CONCAT(com,'
<br><br><strong style=\"color: red;\">($samessage)</strong>') WHERE no=%d", $postid ) ) {
⋮┆----------------------------------------
3004┆ mysql_global_do( "insert into blacklist
(field,contents,description,addedby,ban,banlength,banreason)" .
3005┆ "values ('md5','%s','%s','%s','$blban','$len','%s')",
⋮┆----------------------------------------
3862┆ if( !$result = mysql_board_call( "SELECT `host`, `no` FROM `%s` WHERE (no=%d OR
resto=%d)$where", SQLLOG, $thread, $thread ) ) {
⋮┆----------------------------------------
4090┆ $html = <<<HTML
4091┆ <form action="" method="post">$csrf_tag
4092┆ <table border="0" cellspacing="0" cellpadding="0" class="bantable">
4093┆ <tr>
4094┆ <td class="postblock">Autocomplete</td>
4095┆ <td colspan="2">
4096┆ <input type="text" name="autocomplete" placeholder="Start typing..."
id="autocomplete" size="40"$autofocus_html autocomplete="off" style="width: 100%;">
4097┆ </td>
4098┆ </tr>
4099┆
[hid 72 additional lines, adjust with --max-lines-per-finding]
admin.php
❯❯❱ php.lang.security.exec-use.exec-use
Executing non-constant commands. This can lead to command injection.
Details: https://sg.run/5Q1j
71┆ exec( $cmd );
❯❯❱ php.lang.security.injection.tainted-sql-string.tainted-sql-string
User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL
strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL
strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate
data from the database. Instead, use prepared statements (`$mysqli->prepare("INSERT INTO test(id,
label) VALUES (?, ?)");`) or a safe library.
Details: https://sg.run/lZYG
382┆ $query = mysql_board_call("SELECT no, host FROM `" . SQLLOG . "` WHERE resto = $no AND
host != '$op_host' GROUP BY host");
❯❱ php.lang.security.unlink-use.unlink-use
Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor
could use this to modify or access files they have no right to.
Details: https://sg.run/rYeR
579┆ unlink(IMG_DIR . "$filename") or print "Couldn't delete!<br>";
⋮┆----------------------------------------
589┆ unlink(THUMB_DIR . "$filename") or print "Couldn't delete!<br>";
⋮┆----------------------------------------
598┆ unlink( RES_DIR . "$filename" ) or print "Couldn't delete!<br>";
⋮┆----------------------------------------
662┆ unlink( $filename ) or print "Couldn't delete!<br>";
❯❯❱ php.lang.security.exec-use.exec-use
Executing non-constant commands. This can lead to command injection.
Details: https://sg.run/5Q1j
668┆ exec( "find $phptmp/ -mtime +2h -name php*", $tmpfiles );
⋮┆----------------------------------------
669┆ exec( "find -E " . INDEX_DIR . " -regex '.*/(gz)?tmp.*$' -mtime +2h", $indextmp );
⋮┆----------------------------------------
670┆ exec( "find -E " . RES_DIR . " -regex '.*/(gz)?tmp.*$' -mtime +2h", $restmp );
❯❱ php.lang.security.unlink-use.unlink-use
Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor
could use this to modify or access files they have no right to.
Details: https://sg.run/rYeR
680┆ unlink( $filename ) or print "Couldn't delete!<br>";
⋮┆----------------------------------------
1352┆ unlink($dest);
❯❯❱ php.lang.security.injection.tainted-sql-string.tainted-sql-string
User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL
strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL
strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate
data from the database. Instead, use prepared statements (`$mysqli->prepare("INSERT INTO test(id,
label) VALUES (?, ?)");`) or a safe library.
Details: https://sg.run/lZYG
1565┆ $query = "UPDATE reports SET cleared = 1, cleared_by = '%s' WHERE board = '%s' AND no =
$pid";
⋮┆----------------------------------------
1573┆ $query = <<<SQL
1574┆ UPDATE reports_for_posts
1575┆ SET cleared = 1, clearedby = '%s'
1576┆ WHERE board = '%s' AND postid = $pid
1577┆ SQL;
❯❱ php.lang.security.unlink-use.unlink-use
Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor
could use this to modify or access files they have no right to.
Details: https://sg.run/rYeR
1686┆ unlink( $delfile ); //delete
⋮┆----------------------------------------
1687┆ unlink( THUMB_DIR . $tim . 's.jpg' ); //delete
⋮┆----------------------------------------
1704┆ unlink( $delfile ); //Delete
⋮┆----------------------------------------
1705┆ unlink( THUMB_DIR . $tim . 's.jpg' ); //Delete
❯❯❱ php.lang.security.injection.tainted-sql-string.tainted-sql-string
User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL
strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL
strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate
data from the database. Instead, use prepared statements (`$mysqli->prepare("INSERT INTO test(id,
label) VALUES (?, ?)");`) or a safe library.
Details: https://sg.run/lZYG
1715┆ mysql_global_do( "INSERT INTO " . SQLLOGDEL . "
(imgonly,postno,resto,board,name,sub,com,img,filename,admin,admin_ip)
values('$imgonly','$no',$resto,'" . SQLLOG .
"','$adname','$sub','$com','$adfsize','$filename$ext','$auser', '" .
mysql_real_escape_string($_SERVER['REMOTE_ADDR']) . "')" ); // FIXME do all this in one
insert outside the write lock
⋮┆----------------------------------------
1777┆ if( !$result = mysql_board_call( "(SELECT child.*,parent.root proot from `" . SQLLOG . "`
child LEFT OUTER JOIN `" . SQLLOG . "` parent ON child.resto=parent.no) UNION (SELECT
*,root proot from `" . SQLLOG . "` parent WHERE resto=0) ORDER BY proot DESC, no ASC LIMIT
" . $from . ", " . $max_results ) ) {
⋮┆----------------------------------------
1782┆ if( !$result = mysql_board_call( "select * FROM `" . SQLLOG . $resq . " order BY no DESC
LIMIT " . $from . ", " . $max_results ) ) {
❯❯❱ php.lang.security.deserialization.extract-user-data
Do not call 'extract()' on user-controllable data. If you must, then you must also provide the
EXTR_SKIP flag to prevent overwriting existing variables.
Details: https://sg.run/6bv1
1791┆ extract( $row, EXTR_OVERWRITE );
❯❱ php.lang.security.unlink-use.unlink-use
Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor
could use this to modify or access files they have no right to.
Details: https://sg.run/rYeR
2100┆ @unlink( $file );
❯❯❱ generic.secrets.security.detected-generic-secret.detected-generic-secret
Generic Secret detected
Details: https://sg.run/l2o5
2614┆ $secret =
'BusEFdduVhgVKIMAx1ndhvzrgMyA5uCcfRnvIKq4+0X2vL8elzf6wHZCpWS9fsTsNG/XdlwiIBV68hzlGm6sGQ=='
;
❯❯❱ php.lang.security.injection.tainted-sql-string.tainted-sql-string
User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL
strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL
strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate
data from the database. Instead, use prepared statements (`$mysqli->prepare("INSERT INTO test(id,
label) VALUES (?, ?)");`) or a safe library.
Details: https://sg.run/lZYG
2915┆ if( !$result = mysql_board_call( "UPDATE `" . SQLLOG . "` SET root=root,com=CONCAT(com,'
<br><br><strong style=\"color: red;\">($samessage)</strong>') WHERE no=%d", $postid ) ) {
⋮┆----------------------------------------
2951┆ mysql_global_do( "insert into blacklist
(field,contents,description,addedby,ban,banlength,banreason)" .
2952┆ "values ('md5','%s','%s','%s','$blban','$len','%s')",
⋮┆----------------------------------------
3803┆ if( !$result = mysql_board_call( "SELECT `host`, `no` FROM `%s` WHERE (no=%d OR
resto=%d)$where", SQLLOG, $thread, $thread ) ) {
⋮┆----------------------------------------
4031┆ $html = <<<HTML
4032┆ <form action="" method="post">$csrf_tag
4033┆ <table border="0" cellspacing="0" cellpadding="0" class="bantable">
4034┆ <tr>
4035┆ <td class="postblock">Autocomplete</td>
4036┆ <td colspan="2">
4037┆ <input type="text" name="autocomplete" placeholder="Start typing..."
id="autocomplete" size="40"$autofocus_html autocomplete="off" style="width: 100%;">
4038┆ </td>
4039┆ </tr>
4040┆
[hid 72 additional lines, adjust with --max-lines-per-finding]
derefer.php
❯❱ php.lang.security.injection.tainted-url-host.tainted-url-host
User data flows into the host portion of this manually-constructed URL. This could allow an attacker
to send data to their own server, potentially exposing sensitive data such as cookies or
authorization information sent with this request. They could also probe internal servers or other
resources that the server running this code can access. (This is called server-side request forgery,
or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode
the correct host.
Details: https://sg.run/Y8no
21┆ $url = 'http://' . $url;
forms/ban.php
❯❱ php.lang.security.unserialize-use.unserialize-use
Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution.
Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).
Details: https://sg.run/b24E
192┆ $post = unserialize($row['spost']);
imgboard-test.php
❯❱ php.lang.security.unlink-use.unlink-use
Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor
could use this to modify or access files they have no right to.
Details: https://sg.run/rYeR
334┆ unlink( $u );
⋮┆----------------------------------------
341┆ unlink($src);
⋮┆----------------------------------------
2643┆ @unlink($delfile); // delete image
⋮┆----------------------------------------
2651┆ @unlink( $delfile ); // delete image
⋮┆----------------------------------------
2652┆ @unlink( $delthumb ); // delete thumb
⋮┆----------------------------------------
2655┆ unlink(IMG_DIR . $delrow['tim'] . '.tgkr');
⋮┆----------------------------------------
2663┆ @unlink(IMG_DIR . $delrow['tim'] . 'm.jpg'); // delete mobile
⋮┆----------------------------------------
2698┆ @unlink( RES_DIR . $delrow['no'] . PHP_EXT . '.gz' );
⋮┆----------------------------------------
2699┆ @unlink( RES_DIR . $delrow['no'] . '.json.gz' );
⋮┆----------------------------------------
2702┆ @unlink( RES_DIR . $delrow['no'] . PHP_EXT );
⋮┆----------------------------------------
2703┆ @unlink( RES_DIR . $delrow['no'] . '.json' );
⋮┆----------------------------------------
3765┆ @unlink( $dest );
⋮┆----------------------------------------
3766┆ @unlink( $upfile );
❯❯❱ php.lang.security.md5-loose-equality.md5-loose-equality
Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling
issues
Details: https://sg.run/Do4G
5634┆ $ma = ( $capcode == 'admin_highlight') ? 'admin' : $capcode;
⋮┆----------------------------------------
5637┆ if( DISP_ID == 1 && $ma != 'None' ) {
⋮┆----------------------------------------
5641┆ if( $ma != 'None' && STRIP_EXIF_ON_CAPCODE && $ext == ".jpg" ) {
⋮┆----------------------------------------
5760┆ if (!$capcode || $capcode == 'none') {
⋮┆----------------------------------------
5837┆ if( $namearr[0] != S_ANONAME )
❯❯❱ php.lang.security.injection.tainted-sql-string.tainted-sql-string
User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL
strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL
strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate
data from the database. Instead, use prepared statements (`$mysqli->prepare("INSERT INTO test(id,
label) VALUES (?, ?)");`) or a safe library.
Details: https://sg.run/lZYG
6542┆ $query = "insert into `" . SQLLOG . "` (now,name,sub,com,host,pwd,email,filename,ext,w,h,
tn_w,tn_h,tim,time,last_modified,md5,fsize,root,resto$flag_cols,tmd5,id,country$board_flag_
col) values (" .
6543┆ "'" . $now . "'," .
6544┆ "'" . mysql_real_escape_string( $name ) . "'," .
6545┆ mysql_nullify( mysql_real_escape_string( $sub ) ) . "," .
6546┆ "'" . mysql_real_escape_string( $com ) . "'," .
6547┆ "'" . mysql_real_escape_string( $host ) . "'," .
6548┆ "'" . mysql_real_escape_string( $pass ) . "'," .
6549┆ "'" . mysql_real_escape_string($user_meta) . "'," .
6550┆ "'" . mysql_real_escape_string( $insfile ) . "'," .
6551┆ mysql_nullify( $ext ) . "," .
[hid 15 additional lines, adjust with --max-lines-per-finding]
❯❱ php.lang.security.unlink-use.unlink-use
Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor
could use this to modify or access files they have no right to.
Details: https://sg.run/rYeR
7165┆ if( !file_exists( $pdfjpeg ) ) unlink( $fname );
⋮┆----------------------------------------
7172┆ unlink($fname);
⋮┆----------------------------------------
7302┆ unlink($pdfjpeg);
⋮┆----------------------------------------
7306┆ unlink($webm_thumb);
⋮┆----------------------------------------
8664┆ unlink($file_path);
⋮┆----------------------------------------
9002┆ return unlink($fname);
imgboard.php
❯❱ php.lang.security.unlink-use.unlink-use
Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor
could use this to modify or access files they have no right to.
Details: https://sg.run/rYeR
334┆ unlink( $u );
⋮┆----------------------------------------
341┆ unlink($src);
⋮┆----------------------------------------
2627┆ @unlink($delfile); // delete image
⋮┆----------------------------------------
2635┆ @unlink( $delfile ); // delete image
⋮┆----------------------------------------
2636┆ @unlink( $delthumb ); // delete thumb
⋮┆----------------------------------------
2639┆ unlink(IMG_DIR . $delrow['tim'] . '.tgkr');
⋮┆----------------------------------------
2647┆ @unlink(IMG_DIR . $delrow['tim'] . 'm.jpg'); // delete mobile
⋮┆----------------------------------------
2682┆ @unlink( RES_DIR . $delrow['no'] . PHP_EXT . '.gz' );
⋮┆----------------------------------------
2683┆ @unlink( RES_DIR . $delrow['no'] . '.json.gz' );
⋮┆----------------------------------------
2686┆ @unlink( RES_DIR . $delrow['no'] . PHP_EXT );
⋮┆----------------------------------------
2687┆ @unlink( RES_DIR . $delrow['no'] . '.json' );
⋮┆----------------------------------------
3749┆ @unlink( $dest );
⋮┆----------------------------------------
3750┆ @unlink( $upfile );
❯❯❱ php.lang.security.md5-loose-equality.md5-loose-equality
Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling
issues
Details: https://sg.run/Do4G
5618┆ $ma = ( $capcode == 'admin_highlight') ? 'admin' : $capcode;
⋮┆----------------------------------------
5621┆ if( DISP_ID == 1 && $ma != 'None' ) {
⋮┆----------------------------------------
5625┆ if( $ma != 'None' && STRIP_EXIF_ON_CAPCODE && $ext == ".jpg" ) {
⋮┆----------------------------------------
5737┆ if (!$capcode || $capcode == 'none') {
⋮┆----------------------------------------
5814┆ if( $namearr[0] != S_ANONAME )
❯❯❱ php.lang.security.injection.tainted-sql-string.tainted-sql-string
User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL
strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL
strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate
data from the database. Instead, use prepared statements (`$mysqli->prepare("INSERT INTO test(id,
label) VALUES (?, ?)");`) or a safe library.
Details: https://sg.run/lZYG
6525┆ $query = "insert into `" . SQLLOG . "` (now,name,sub,com,host,pwd,email,filename,ext,w,h,
tn_w,tn_h,tim,time,last_modified,md5,fsize,root,resto$flag_cols,tmd5,id,country$board_flag_
col) values (" .
6526┆ "'" . $now . "'," .
6527┆ "'" . mysql_real_escape_string( $name ) . "'," .
6528┆ mysql_nullify( mysql_real_escape_string( $sub ) ) . "," .
6529┆ "'" . mysql_real_escape_string( $com ) . "'," .
6530┆ "'" . mysql_real_escape_string( $host ) . "'," .
6531┆ "'" . mysql_real_escape_string( $pass ) . "'," .
6532┆ "'" . mysql_real_escape_string($user_meta) . "'," .
6533┆ "'" . mysql_real_escape_string( $insfile ) . "'," .
6534┆ mysql_nullify( $ext ) . "," .
[hid 15 additional lines, adjust with --max-lines-per-finding]
❯❱ php.lang.security.unlink-use.unlink-use
Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor
could use this to modify or access files they have no right to.
Details: https://sg.run/rYeR
7134┆ if( !file_exists( $pdfjpeg ) ) unlink( $fname );
⋮┆----------------------------------------
7141┆ unlink($fname);
⋮┆----------------------------------------
7271┆ unlink($pdfjpeg);
⋮┆----------------------------------------
7275┆ unlink($webm_thumb);
⋮┆----------------------------------------
8633┆ unlink($file_path);
⋮┆----------------------------------------
8971┆ return unlink($fname);
imgtop/banned_dev.js
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
181┆ container.innerHTML =
182┆ '<div class="postInfo desktop" id="pi' + data.no + '">' +
183┆ '<input type="checkbox" name="' + data.no + '" value="delete"> ' +
184┆ '<span class="subject">' + subject + '</span> ' +
185┆ '<span class="nameBlock' + capcodeClass + '">' + emailStart +
186┆ '<span class="name">' + name + '</span>' +
187┆ tripcode + capcodeStart + emailEnd + capcode + userId + flag +
188┆ ' </span> ' +
189┆ '<span class="dateTime" data-utc="' + data.time + '">' + data.now + '</span> ' +
190┆ '<span class="postNum desktop">' +
[hid 6 additional lines, adjust with --max-lines-per-finding]
js/catalog-test.js
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
322┆ el.innerHTML = '<a href="#bottom">&#9660;</a>'
323┆ + '<a href="javascript:void(0);" id="settingsWindowLinkClassic">Settings</a>'
324┆ + '<a href="//www.' + $L.d(catalog.slug) + '" target="_top">Home</a></div>';
⋮┆----------------------------------------
860┆ td.innerHTML = '<span class="button clickbox" style="background:'
861┆ + options.filterColors[i][j] + '"></span>';
⋮┆----------------------------------------
1342┆ $.id('fhc-' + j.id.slice(7))
1343┆ .innerHTML = activeFilters[i] ? 'x' + activeFilters[i].hits : '';
⋮┆----------------------------------------
1487┆ style.innerHTML = customTheme.css;
⋮┆----------------------------------------
2138┆ $threads.innerHTML = formatImageThreads(threads);
⋮┆----------------------------------------
2141┆ $threads.innerHTML = formatTextThreads(threads);
⋮┆----------------------------------------
2258┆ el.innerHTML = tip;
⋮┆----------------------------------------
2379┆ this.entities.innerHTML
2380┆ = post.com.replace(/<br>/g, '\n').replace(/[<[^>]+>/g, '');
⋮┆----------------------------------------
2669┆ ThreadWatcher.listNode.innerHTML = html;
⋮┆----------------------------------------
3016┆ dummy.innerHTML = posts[i].com;
⋮┆----------------------------------------
3433┆ el.innerHTML = FC.panelHTML[id];
⋮┆----------------------------------------
3575┆ div.innerHTML = html + '</ul>';
js/catalog.js
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
322┆ el.innerHTML = '<a href="#bottom">&#9660;</a>'
323┆ + '<a href="javascript:void(0);" id="settingsWindowLinkClassic">Settings</a>'
324┆ + '<a href="//www.' + $L.d(catalog.slug) + '" target="_top">Home</a></div>';
⋮┆----------------------------------------
860┆ td.innerHTML = '<span class="button clickbox" style="background:'
861┆ + options.filterColors[i][j] + '"></span>';
⋮┆----------------------------------------
1342┆ $.id('fhc-' + j.id.slice(7))
1343┆ .innerHTML = activeFilters[i] ? 'x' + activeFilters[i].hits : '';
⋮┆----------------------------------------
1487┆ style.innerHTML = customTheme.css;
⋮┆----------------------------------------
2138┆ $threads.innerHTML = formatImageThreads(threads);
⋮┆----------------------------------------
2141┆ $threads.innerHTML = formatTextThreads(threads);
⋮┆----------------------------------------
2258┆ el.innerHTML = tip;
⋮┆----------------------------------------
2379┆ this.entities.innerHTML
2380┆ = post.com.replace(/<br>/g, '\n').replace(/[<[^>]+>/g, '');
⋮┆----------------------------------------
2669┆ ThreadWatcher.listNode.innerHTML = html;
⋮┆----------------------------------------
3016┆ dummy.innerHTML = posts[i].com;
⋮┆----------------------------------------
3433┆ el.innerHTML = FC.panelHTML[id];
⋮┆----------------------------------------
3575┆ div.innerHTML = html + '</ul>';
js/core-test.js
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
547┆ TCaptcha.msgNode.innerHTML = `<div>${txt}</div>`;
⋮┆----------------------------------------
733┆ el.innerHTML = data;
⋮┆----------------------------------------
890┆ cnt.innerHTML = '<img alt="4chan" src="//s.4cdn.org/image/title/'
891┆ + cnt.getAttribute('data-src') + '">';
⋮┆----------------------------------------
934┆ el.innerHTML = html;
⋮┆----------------------------------------
1260┆ cnt.innerHTML = `<div class="adg-rects desktop"><div class="adg adp-90" data-
abc="${fb.t_abc_d}"></div></div>`;
⋮┆----------------------------------------
1264┆ cnt.innerHTML = `<div class="adg-rects mobile"><div class="adg-m adp-250" data-
abc="${fb.t_abc_m}"></div></div>`;
⋮┆----------------------------------------
1281┆ cnt.innerHTML = `<div class="adg-rects mobile"><div class="adg-m adp-250" data-
abc="${fb.b_abc_m}"></div></div>`;
⋮┆----------------------------------------
1498┆ document.write('<script type="text/javascript" src="https://s.4cdn.org/js/' + path + '.'
+ jsVersion + '.js"></script>');
❯❱ javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag
Cannot determine what 'path' is and it is used with a '<script>' tag. This could be susceptible to
cross-site scripting (XSS). Ensure 'path' is not externally controlled, or sanitize this data.
Details: https://sg.run/1Zy1
1498┆ document.write('<script type="text/javascript" src="https://s.4cdn.org/js/' + path + '.'
+ jsVersion + '.js"></script>');
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
1572┆ el.children[1].innerHTML = '<div style="padding: 5px;">' + msg + '</div>';
⋮┆----------------------------------------
1842┆ el.innerHTML = msg;
⋮┆----------------------------------------
1883┆ css.innerHTML = '<meta http-equiv="refresh" content="0;URL=' + url + '">';
❯❱ javascript.browser.security.raw-html-concat.raw-html-concat
User controlled data in a HTML string may result in XSS
Details: https://sg.run/4xAx
1883┆ css.innerHTML = '<meta http-equiv="refresh" content="0;URL=' + url + '">';
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
1890┆ css.innerHTML = '<meta http-equiv="refresh" content="0;URL=' + url + '">';
❯❱ javascript.browser.security.raw-html-concat.raw-html-concat
User controlled data in a HTML string may result in XSS
Details: https://sg.run/4xAx
1890┆ css.innerHTML = '<meta http-equiv="refresh" content="0;URL=' + url + '">';
js/core.js
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
563┆ TCaptcha.msgNode.innerHTML = `<div>${txt}</div>`;
⋮┆----------------------------------------
751┆ el.innerHTML = data;
⋮┆----------------------------------------
908┆ cnt.innerHTML = '<img alt="4chan" src="//s.4cdn.org/image/title/'
909┆ + cnt.getAttribute('data-src') + '">';
⋮┆----------------------------------------
952┆ el.innerHTML = html;
⋮┆----------------------------------------
1278┆ cnt.innerHTML = `<div class="adg-rects desktop"><div class="adg adp-90" data-
abc="${fb.t_abc_d}"></div></div>`;
⋮┆----------------------------------------
1282┆ cnt.innerHTML = `<div class="adg-rects mobile"><div class="adg-m adp-250" data-
abc="${fb.t_abc_m}"></div></div>`;
⋮┆----------------------------------------
1299┆ cnt.innerHTML = `<div class="adg-rects mobile"><div class="adg-m adp-250" data-
abc="${fb.b_abc_m}"></div></div>`;
⋮┆----------------------------------------
1516┆ document.write('<script type="text/javascript" src="https://s.4cdn.org/js/' + path + '.'
+ jsVersion + '.js"></script>');
❯❱ javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag
Cannot determine what 'path' is and it is used with a '<script>' tag. This could be susceptible to
cross-site scripting (XSS). Ensure 'path' is not externally controlled, or sanitize this data.
Details: https://sg.run/1Zy1
1516┆ document.write('<script type="text/javascript" src="https://s.4cdn.org/js/' + path + '.'
+ jsVersion + '.js"></script>');
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
1590┆ el.children[1].innerHTML = '<div style="padding: 5px;">' + msg + '</div>';
⋮┆----------------------------------------
1860┆ el.innerHTML = msg;
⋮┆----------------------------------------
1901┆ css.innerHTML = '<meta http-equiv="refresh" content="0;URL=' + url + '">';
❯❱ javascript.browser.security.raw-html-concat.raw-html-concat
User controlled data in a HTML string may result in XSS
Details: https://sg.run/4xAx
1901┆ css.innerHTML = '<meta http-equiv="refresh" content="0;URL=' + url + '">';
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
1908┆ css.innerHTML = '<meta http-equiv="refresh" content="0;URL=' + url + '">';
❯❱ javascript.browser.security.raw-html-concat.raw-html-concat
User controlled data in a HTML string may result in XSS
Details: https://sg.run/4xAx
1908┆ css.innerHTML = '<meta http-equiv="refresh" content="0;URL=' + url + '">';
js/extension-test-sync2.js
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
531┆ container.innerHTML =
532┆ (isOP ? '' : '<div class="sideArrows" id="sa' + data.no + '">&gt;&gt;</div>') +
533┆ '<div id="p' + data.no + '" class="post ' + postType + highlight + '">' +
534┆ '<div class="postInfoM mobile" id="pim' + data.no + '">' +
535┆ '<span class="nameBlock' + capcodeClass + '">' +
536┆ '<span class="name">' + name + '</span>' + tripcode +
537┆ capcodeStart + capcode + userId + flag +
538┆ '<br>' + subject +
539┆ '</span><span class="dateTime postNum" data-utc="' + data.time + '">' +
540┆ data.now + ' <a href="' + data.no + '#p' + data.no + '" title="Link to this
post">No.</a>' +
[hid 23 additional lines, adjust with --max-lines-per-finding]
653┆ el.innerHTML = '<img alt="H" class="extButton threadHideButton"'
654┆ + 'data-cmd="hide" data-id="' + tid + '" src="'
655┆ + Main.icons.minus + '" title="Hide thread">';
⋮┆----------------------------------------
813┆ el.innerHTML = prettyPrintOne(el.innerHTML);
⋮┆----------------------------------------
910┆ filename.firstElementChild.innerHTML = txt;
⋮┆----------------------------------------
989┆ bl.innerHTML = '<a href="' + href + '" class="quotelink">&gt;&gt;' + pid + '</a> ';
⋮┆----------------------------------------
992┆ bl.innerHTML = '<a href="' + href + '" class="quotelink">&gt;&gt;' + pid
993┆ + '</a><a href="' + href + '" class="quoteLink"> #</a> ';
⋮┆----------------------------------------
1031┆ el.innerHTML = oRep + oImg
1032┆ + ' omitted. <a href="thread/'
1033┆ + tid + '" class="replylink">Click here</a> to view.';
⋮┆----------------------------------------
1398┆ div.innerHTML = html + '</ul>';
⋮┆----------------------------------------
2820┆ cnt.innerHTML =
2821┆ '<div id="qrHeader" class="drag postblock">Reply to Thread No.<span id="qrTid">'
2822┆ + tid + '</span><img alt="X" src="' + Main.icons.cross + '" id="qrClose" '
2823┆ + 'class="extButton" title="Close Window"></div>';
⋮┆----------------------------------------
2827┆ form.innerHTML =
2828┆ '<input type="hidden" value="'
2829┆ + $.byName('MAX_FILE_SIZE')[0].value + '" name="MAX_FILE_SIZE">'
2830┆ + '<input type="hidden" value="regist" name="mode">'
2831┆ + '<input id="qrResto" type="hidden" value="' + tid + '" name="resto">';
⋮┆----------------------------------------
2881┆ row.innerHTML = fields[i].children[1].innerHTML;
⋮┆----------------------------------------
2937┆ spoiler.innerHTML = '<label>[<input type="checkbox" tabindex="'
2938┆ + (el.tabIndex + 20) + '" value="on" name="spoiler">Spoiler?]</label>';
⋮┆----------------------------------------
3099┆ el.innerHTML = '<div class="placeholder">'
3100┆ + el.getAttribute('data-placeholder') + '</div>';
⋮┆----------------------------------------
3114┆ row.innerHTML = '<img id="qrCaptcha" title="Reload" width="300" height="57" src="'
3115┆ + $.id('recaptcha_challenge_image').src + '" alt="reCAPTCHA challenge image">'
3116┆ + (window.preupload_captcha ? '<input id="qrCapToken" type="hidden"
name="captcha_token" disabled>' : '')
3117┆ + '<input id="qrCapField" tabindex="25" name="recaptcha_response_field" '
3118┆ + 'placeholder="Type the text (Required)" '
3119┆ + 'type="text" autocomplete="off" autocorrect="off" autocapitalize="off"
spellcheck="false">'
3120┆ + '<input id="qrChallenge" name="recaptcha_challenge_field" type="hidden" value="'
3121┆ + $.id('recaptcha_challenge_field').value + '">';
⋮┆----------------------------------------
3222┆ qrError.innerHTML = msg;
⋮┆----------------------------------------
3893┆ cnt.innerHTML = '<div class="drag" id="twHeader">'
3894┆ + (Main.hasMobileLayout ? ('<img id="twClose" class="pointer" src="'
3895┆ + Main.icons.cross + '" alt="X">') : '')
3896┆ + 'Thread Watcher'
3897┆ + (UA.hasCORS ? ('<img id="twPrune" class="pointer right" src="'
3898┆ + Main.icons.refresh + '" alt="R" title="Refresh"></div>') : '</div>');
⋮┆----------------------------------------
4004┆ ThreadWatcher.listNode.innerHTML = html;
⋮┆----------------------------------------
4324┆ msg.innerHTML = $.cls('postMessage', post)[0].innerHTML;
⋮┆----------------------------------------
4370┆ msg.innerHTML = expmsg.textContent;
⋮┆----------------------------------------
4381┆ msg.innerHTML = expmsg.textContent;
⋮┆----------------------------------------
4443┆ msg.innerHTML = posts[0].com + '<br><br>';
⋮┆----------------------------------------
4447┆ msg.innerHTML = posts[0].com;
⋮┆----------------------------------------
5115┆ this.statusNode.innerHTML
5116┆ = this.statusNodeBot.innerHTML
5117┆ = '<span class="tu-error">' + msg + '</span>';
⋮┆----------------------------------------
5210┆ this.nodeTop.innerHTML = this.nodeBot.innerHTML
5211┆ = stats.join(' / ');
⋮┆----------------------------------------
5356┆ this.entities.innerHTML
5357┆ = msg.innerHTML.replace(/<br>/g, '\n').replace(/[<[^>]+>/g, '');
⋮┆----------------------------------------
5413┆ el.innerHTML = '[<a data-filtered="1" href="thread/' + tid + '">View</a>]';
⋮┆----------------------------------------
5554┆ cnt.innerHTML = '\
5555┆ <div class="extPanel reply"><div class="panelHeader">Filters &amp; Highlights Help\
5556┆ <span><img alt="Close" title="Close" class="pointer" data-cmd="filters-help-close"
src="'
5557┆ + Main.icons.cross + '"></span></div>\
5558┆ <h4>Tripcode, Name and ID filters:</h4>\
5559┆ <ul><li>Those use simple string comparison.</li>\
5560┆ <li>Type them exactly as they appear on 4chan, including the exclamation mark for
tripcode filters.</li>\
5561┆ <li>Example: <code>!Ep8pui8Vw2</code></li></ul>\
5562┆ <h4>Comment, Subject and E-mail filters:</h4>\
5563┆ <ul><li><strong>Matching whole words:</strong></li>\
[hid 20 additional lines, adjust with --max-lines-per-finding]
5610┆ cnt.innerHTML = '\
5611┆ <div class="extPanel reply"><div class="panelHeader">Filters &amp; Highlights\
5612┆ <span><img alt="Help" class="pointer" title="Help" data-cmd="filters-help-open" src="'
5613┆ + Main.icons.help
5614┆ + '"><img alt="Close" title="Close" class="pointer" data-cmd="filters-close" src="'
5615┆ + Main.icons.cross + '"></span></div>\
5616┆ <table><thead><tr>\
5617┆ <th>Order</th>\
5618┆ <th>On</th>\
5619┆ <th>Pattern</th>\
[hid 9 additional lines, adjust with --max-lines-per-finding]
5795┆ tr.innerHTML = html;
⋮┆----------------------------------------
5834┆ cnt.innerHTML = html;
⋮┆----------------------------------------
6015┆ el.innerHTML = '[<a href="' + src.href + '">Embed</a>]';
⋮┆----------------------------------------
6168┆ msg.innerHTML = msg.innerHTML.replace(this.matchSC, this.replaceSoundCloud);
⋮┆----------------------------------------
6195┆ el.innerHTML = JSON.parse(this.responseText).html;
⋮┆----------------------------------------
6210┆ msg.innerHTML = msg.innerHTML.replace(this.matchYT, this.replaceYouTube);
⋮┆----------------------------------------
6281┆ el.innerHTML = '<iframe src="//www.youtube.com/embed/'
6282┆ + vid
6283┆ + '" width="640" height="360" frameborder="0"></iframe>'
⋮┆----------------------------------------
6296┆ msg.innerHTML = msg.innerHTML.replace(this.matchVocaroo, this.replaceVocaroo);
⋮┆----------------------------------------
6319┆ el.innerHTML = '<embed width="220" height="140" class="media-embed" '
6320┆ + 'src="//vocaroo.com/mediafoo.swf?playMediaID=' + vid + '&autoplay=0">';
⋮┆----------------------------------------
6367┆ cnt.innerHTML = '\
6368┆ <div class="extPanel reply"><div class="panelHeader">Custom CSS\
6369┆ <span><img alt="Close" title="Close" class="pointer" data-cmd="css-close" src="'
6370┆ + Main.icons.cross + '"></span></div>\
6371┆ <textarea id="customCSSBox"></textarea>\
6372┆ <div class="center"><button data-cmd="css-save">Save CSS</button></div>\
6373┆ </td></tr></tfoot></table></div>';
⋮┆----------------------------------------
6506┆ cnt.innerHTML = '\
6507┆ <div class="extPanel reply"><div class="panelHeader">Keyboard Shortcuts\
6508┆ <span><img data-cmd="keybinds-close" class="pointer" alt="Close" title="Close" src="'
6509┆ + Main.icons.cross + '"></span></div>\
6510┆ <ul>\
6511┆ <li><strong>Global</strong></li>\
6512┆ <li><kbd>A</kbd> &mdash; Toggle auto-updater</li>\
6513┆ <li><kbd>Q</kbd> &mdash; Open Quick Reply</li>\
6514┆ <li><kbd>R</kbd> &mdash; Update thread</li>\
6515┆ <li><kbd>W</kbd> &mdash; Watch/Unwatch thread</li>\
[hid 11 additional lines, adjust with --max-lines-per-finding]
6686┆ cnt.innerHTML = '\
6687┆ <div class="extPanel reply"><div class="panelHeader">Custom Board List\
6688┆ <span><img alt="Close" title="Close" class="pointer" data-close="1" src="'
6689┆ + Main.icons.cross + '"></a></span></div>\
6690┆ <input placeholder="Example: jp tg mu" id="customMenuBox" type="text" value="">\
6691┆ <div class="center"><button data-save="1">Save</button></div></div>';
⋮┆----------------------------------------
7159┆ cnt.innerHTML = html;
⋮┆----------------------------------------
7183┆ cnt.innerHTML = '\
7184┆ <div class="extPanel reply"><div class="panelHeader">Export Settings\
7185┆ <span><img data-cmd="export-close" class="pointer" alt="Close" title="Close" src="'
7186┆ + Main.icons.cross + '"></span></div>\
7187┆ <p class="center">Copy and save the URL below, and visit it from another \
7188┆ browser or computer to restore your extension and catalog settings.</p>\
7189┆ <p class="center">\
7190┆ <input class="export-field" type="text" readonly="readonly" value="' + str + '"></p>\
7191┆ <p style="margin-top:15px" class="center">Alternatively, you can drag the link below into
your \
7192┆ bookmarks bar and click it to restore.</p>\
[hid 2 additional lines, adjust with --max-lines-per-finding]
❯❱ javascript.browser.security.raw-html-concat.raw-html-concat
User controlled data in a HTML string may result in XSS
Details: https://sg.run/4xAx
7183┆ cnt.innerHTML = '\
7184┆ <div class="extPanel reply"><div class="panelHeader">Export Settings\
7185┆ <span><img data-cmd="export-close" class="pointer" alt="Close" title="Close" src="'
7186┆ + Main.icons.cross + '"></span></div>\
7187┆ <p class="center">Copy and save the URL below, and visit it from another \
7188┆ browser or computer to restore your extension and catalog settings.</p>\
7189┆ <p class="center">\
7190┆ <input class="export-field" type="text" readonly="readonly" value="' + str + '"></p>\
7191┆ <p style="margin-top:15px" class="center">Alternatively, you can drag the link below into
your \
7192┆ bookmarks bar and click it to restore.</p>\
[hid 2 additional lines, adjust with --max-lines-per-finding]
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
7285┆ el.innerHTML = message || 'Change your settings';
⋮┆----------------------------------------
7720┆ hdr.innerHTML = '<img class="pointer" src="'
7721┆ + Main.icons.up + '" data-cmd="totop" alt="▲" title="Top">'
7722┆ + '<img class="pointer" src="' + Main.icons.down
7723┆ + '" data-cmd="tobottom" alt="▼" title="Bottom">';
js/extension-test.js
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
862┆ container.innerHTML =
863┆ (isOP ? '' : '<div class="sideArrows" id="sa' + data.no + '">&gt;&gt;</div>') +
864┆ '<div id="p' + data.no + '" class="post ' + postType + highlight + '">' +
865┆ '<div class="postInfoM mobile" id="pim' + data.no + '">' +
866┆ '<span class="nameBlock' + capcodeClass + '">' + boardTag +
867┆ mName + tripcode +
868┆ capcodeStart + capcode + userId + flag +
869┆ '<br>' + subject +
870┆ '</span><span class="dateTime postNum" data-utc="' + data.time + '">' +
871┆ data.now + ' <a href="' + noLink + '" title="Link to this post">No.</a><a href="' +
[hid 26 additional lines, adjust with --max-lines-per-finding]
985┆ el.innerHTML = '<img alt="H" class="extButton threadHideButton"'
986┆ + 'data-cmd="hide" data-id="' + tid + '" src="'
987┆ + Main.icons.minus + '" title="Hide thread">';
⋮┆----------------------------------------
1154┆ el.innerHTML = window.prettyPrintOne(el.innerHTML);
⋮┆----------------------------------------
1181┆ filename.firstElementChild.innerHTML = txt;
⋮┆----------------------------------------
1304┆ el.innerHTML = ' <a href="#" data-pid="' + pid + '" data-tid="'
1305┆ + tid + '" data-tip="Open in Tegaki" data-cmd="qr-painter-edit">Edit</a>';
⋮┆----------------------------------------
1367┆ bl.innerHTML = '<a href="' + href + '" class="quotelink">&gt;&gt;' + pid + '</a> ';
⋮┆----------------------------------------
1370┆ bl.innerHTML = '<a href="' + href + '" class="quotelink">&gt;&gt;' + pid
1371┆ + '</a><a href="' + href + '" class="quoteLink"> #</a> ';
⋮┆----------------------------------------
1411┆ el.innerHTML = oRep + oImg
1412┆ + ' omitted. <a href="thread/'
1413┆ + tid + '" class="replylink">Click here</a> to view.';
⋮┆----------------------------------------
1702┆ div.innerHTML = html + '</ul>';
⋮┆----------------------------------------
2087┆ cnt.innerHTML = '<div id="js-sf-status" class="js-sf-' + cls + '">' + msg + '</div>';
⋮┆----------------------------------------
3438┆ fileEl.innerHTML = el.getAttribute('title') || el.innerHTML;
⋮┆----------------------------------------
3674┆ el.innerHTML = '\
3675┆ <div class="extPanel reply"><div class="panelHeader"><span class="tex-
logo">T<sub>e</sub>X</span> Preview\
3676┆ <span class="panelCtrl"><img alt="Close" title="Close" class="pointer" data-cmd="close-
tex-preview" src="'
3677┆ + Main.icons.cross + '"></span></div><div id="tex-protip">Use [math][/math] tags for
inline, and [eqn][/eqn] tags for block equations.</div><textarea id="input-tex-
preview"></textarea>\
3678┆ <div id="output-tex-preview"></div></div>';
⋮┆----------------------------------------
4091┆ cnt.innerHTML =
4092┆ '<div id="qrHeader" class="drag postblock">'
4093┆ + (window.math_tags ? '<a data-cmd="open-tex-preview" class="desktop pointer left tex-
logo" '
4094┆ + 'data-tip="Preview TeX equations">T<sub>e</sub>X</a>' : '')
4095┆ + 'Reply to Thread No.<span id="qrTid">'
4096┆ + tid + '</span><img alt="X" src="' + Main.icons.cross + '" id="qrClose" '
4097┆ + 'class="extButton" title="Close Window"></div>';
⋮┆----------------------------------------
4102┆ form.innerHTML =
4103┆ (
4104┆ (mfs = $.byName('MAX_FILE_SIZE')[0])
4105┆ ? ('<input type="hidden" value="' + mfs.value + '" name="MAX_FILE_SIZE">')
4106┆ : ''
4107┆ )
4108┆ + '<input type="hidden" value="regist" name="mode">'
4109┆ + '<input id="qrResto" type="hidden" value="' + tid + '" name="resto">';
⋮┆----------------------------------------
4143┆ row.innerHTML = fields[i].children[1].innerHTML;
⋮┆----------------------------------------
4151┆ row.innerHTML = fields[i].children[1].innerHTML;
⋮┆----------------------------------------
4481┆ qrError.innerHTML = msg;
⋮┆----------------------------------------
5279┆ cnt.innerHTML = '<div class="drag" id="twHeader">'
5280┆ + (Main.hasMobileLayout ? ('<img id="twClose" class="pointer" src="'
5281┆ + Main.icons.cross + '" alt="X">') : '')
5282┆ + 'Thread Watcher'
5283┆ + (UA.hasCORS ? ('<img id="twPrune" class="pointer right" src="'
5284┆ + Main.icons.refresh + '" alt="R" title="Refresh"></div>') : '</div>');
⋮┆----------------------------------------
5418┆ ThreadWatcher.listNode.innerHTML = html;
⋮┆----------------------------------------
5834┆ dummy.innerHTML = posts[i].com;
⋮┆----------------------------------------
5919┆ msg.innerHTML = $.cls('postMessage', post)[0].innerHTML;
⋮┆----------------------------------------
5965┆ msg.innerHTML = expmsg.textContent;
⋮┆----------------------------------------
5976┆ msg.innerHTML = expmsg.textContent;
⋮┆----------------------------------------
6043┆ msg.innerHTML = posts[0].com + '<br><br>';
⋮┆----------------------------------------
6047┆ msg.innerHTML = posts[0].com;
⋮┆----------------------------------------
6702┆ this.statusNode.innerHTML
6703┆ = this.statusNodeBot.innerHTML
6704┆ = '<span class="tu-error">' + msg + '</span>';
⋮┆----------------------------------------
6812┆ this.nodeTop.innerHTML = this.nodeBot.innerHTML
6813┆ = stats.join(' / ');
⋮┆----------------------------------------
6953┆ this.entities.innerHTML
6954┆ = post.com.replace(/<br>/g, '\n').replace(/[<[^>]+>/g, '');
⋮┆----------------------------------------
7023┆ this.entities.innerHTML
7024┆ = msg.innerHTML.replace(/<br>/g, '\n').replace(/[<[^>]+>/g, '');
⋮┆----------------------------------------
7085┆ el.innerHTML = '[<a data-cmd="unfilter" data-filtered="1" href="thread/'
7086┆ + tid + '">View</a>]';
⋮┆----------------------------------------
7238┆ cnt.innerHTML = '\
7239┆ <div class="extPanel reply"><div class="panelHeader">Filters &amp; Highlights Help\
7240┆ <span class="panelCtrl"><img alt="Close" title="Close" class="pointer" data-cmd="filters-
help-close" src="'
7241┆ + Main.icons.cross + '"></span></div>\
7242┆ <h4>Tripcode, Name and ID filters:</h4>\
7243┆ <ul><li>Those use simple string comparison.</li>\
7244┆ <li>Type them exactly as they appear on 4chan, including the exclamation mark for
tripcode filters.</li>\
7245┆ <li>Example: <code>!Ep8pui8Vw2</code></li></ul>\
7246┆ <h4>Comment, Subject and E-mail filters:</h4>\
7247┆ <ul><li><strong>Matching whole words:</strong></li>\
[hid 22 additional lines, adjust with --max-lines-per-finding]
7296┆ cnt.innerHTML = '\
7297┆ <div class="extPanel reply"><div class="panelHeader">Filters &amp; Highlights\
7298┆ <span class="panelCtrl"><img alt="Help" class="pointer" title="Help" data-cmd="filters-
help-open" src="'
7299┆ + Main.icons.help
7300┆ + '"><img alt="Close" title="Close" class="pointer" data-cmd="filters-close" src="'
7301┆ + Main.icons.cross + '"></span></div>\
7302┆ <table><thead><tr>\
7303┆ <th></th>\
7304┆ <th>On</th>\
7305┆ <th>Pattern</th>\
[hid 10 additional lines, adjust with --max-lines-per-finding]
7489┆ tr.innerHTML = html;
⋮┆----------------------------------------
7528┆ cnt.innerHTML = html;
⋮┆----------------------------------------
7709┆ el.innerHTML = '[<a href="' + src.href + '">Embed</a>]';
⋮┆----------------------------------------
7869┆ el.innerHTML = el.innerHTML
7870┆ .replace(/<wbr>/g, '\u200b')
7871┆ .replace(this.linkRe, this.funk)
7872┆ .replace(/\u200b/g, '<wbr>');
⋮┆----------------------------------------
7936┆ msg.innerHTML = msg.innerHTML.replace(this.matchSC, this.replaceSoundCloud);
⋮┆----------------------------------------
7977┆ el.innerHTML = JSON.parse(this.responseText).html;
⋮┆----------------------------------------
7992┆ msg.innerHTML = msg.innerHTML.replace(this.matchYT, this.replaceYouTube);
⋮┆----------------------------------------
8083┆ el.innerHTML = '<iframe src="//www.youtube.com/embed/'
8084┆ + vid
8085┆ + '" width="640" height="360" frameborder="0" allowfullscreen></iframe>';
⋮┆----------------------------------------
8172┆ cnt.innerHTML = '\
8173┆ <div class="extPanel reply"><div class="panelHeader">Custom CSS\
8174┆ <span class="panelCtrl"><img alt="Close" title="Close" class="pointer" data-cmd="css-
close" src="'
8175┆ + Main.icons.cross + '"></span></div>\
8176┆ <textarea id="customCSSBox"></textarea>\
8177┆ <div class="center"><button data-cmd="css-save">Save CSS</button></div>\
8178┆ </td></tr></tfoot></table></div>';
⋮┆----------------------------------------
8315┆ cnt.innerHTML = '\
8316┆ <div class="extPanel reply"><div class="panelHeader">Keyboard Shortcuts\
8317┆ <span class="panelCtrl"><img data-cmd="keybinds-close" class="pointer" alt="Close"
title="Close" src="'
8318┆ + Main.icons.cross + '"></span></div>\
8319┆ <ul>\
8320┆ <li><strong>Global</strong></li>\
8321┆ <li><kbd>A</kbd> &mdash; Toggle auto-updater</li>\
8322┆ <li><kbd>Q</kbd> &mdash; Open Quick Reply</li>\
8323┆ <li><kbd>R</kbd> &mdash; Update thread</li>\
8324┆ <li><kbd>W</kbd> &mdash; Watch/Unwatch thread</li>\
[hid 11 additional lines, adjust with --max-lines-per-finding]
8615┆ cnt.innerHTML = '\
8616┆ <div class="extPanel reply"><div class="panelHeader">Custom Board List\
8617┆ <span class="panelCtrl"><img alt="Close" title="Close" class="pointer" data-close="1"
src="'
8618┆ + Main.icons.cross + '"></span></div>\
8619┆ <input placeholder="Example: jp tg mu" id="customMenuBox" type="text" value="">\
8620┆ <div class="center"><button data-save="1">Save</button></div></div>';
⋮┆----------------------------------------
9130┆ cnt.innerHTML = html;
⋮┆----------------------------------------
9154┆ cnt.innerHTML = '\
9155┆ <div class="extPanel reply"><div class="panelHeader">Export Settings\
9156┆ <span class="panelCtrl"><img data-cmd="export-close" class="pointer" alt="Close"
title="Close" src="'
9157┆ + Main.icons.cross + '"></span></div>\
9158┆ <p class="center">Copy and save the URL below, and visit it from another \
9159┆ browser or computer to restore your extension and catalog settings.</p>\
9160┆ <p class="center">\
9161┆ <input class="export-field" type="text" readonly="readonly" value="' + str + '"></p>\
9162┆ <p style="margin-top:15px" class="center">Alternatively, you can drag the link below into
your \
9163┆ bookmarks bar and click it to restore.</p>\
[hid 2 additional lines, adjust with --max-lines-per-finding]
❯❱ javascript.browser.security.raw-html-concat.raw-html-concat
User controlled data in a HTML string may result in XSS
Details: https://sg.run/4xAx
9154┆ cnt.innerHTML = '\
9155┆ <div class="extPanel reply"><div class="panelHeader">Export Settings\
9156┆ <span class="panelCtrl"><img data-cmd="export-close" class="pointer" alt="Close"
title="Close" src="'
9157┆ + Main.icons.cross + '"></span></div>\
9158┆ <p class="center">Copy and save the URL below, and visit it from another \
9159┆ browser or computer to restore your extension and catalog settings.</p>\
9160┆ <p class="center">\
9161┆ <input class="export-field" type="text" readonly="readonly" value="' + str + '"></p>\
9162┆ <p style="margin-top:15px" class="center">Alternatively, you can drag the link below into
your \
9163┆ bookmarks bar and click it to restore.</p>\
[hid 2 additional lines, adjust with --max-lines-per-finding]
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
9255┆ el.innerHTML = '<span class="feedback-' + type + '">' + msg + '</span>';
⋮┆----------------------------------------
9311┆ el.innerHTML = message || 'Change your settings';
⋮┆----------------------------------------
9386┆ el.innerHTML = '<a href="#bottom">&#9660;</a>'
9387┆ + '<a href="javascript:void(0);" id="settingsWindowLinkClassic">Settings</a>'
9388┆ + '<a href="//www.' + $L.d(Main.board) + '" target="_top">Home</a></div>';
⋮┆----------------------------------------
9821┆ hdr.innerHTML = '<img class="pointer" src="'
9822┆ + Main.icons.up + '" data-cmd="totop" alt="▲" title="Top">'
9823┆ + '<img class="pointer" src="' + Main.icons.down
9824┆ + '" data-cmd="tobottom" alt="▼" title="Bottom">';
js/extension.js
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
862┆ container.innerHTML =
863┆ (isOP ? '' : '<div class="sideArrows" id="sa' + data.no + '">&gt;&gt;</div>') +
864┆ '<div id="p' + data.no + '" class="post ' + postType + highlight + '">' +
865┆ '<div class="postInfoM mobile" id="pim' + data.no + '">' +
866┆ '<span class="nameBlock' + capcodeClass + '">' + boardTag +
867┆ mName + tripcode +
868┆ capcodeStart + capcode + userId + flag +
869┆ '<br>' + subject +
870┆ '</span><span class="dateTime postNum" data-utc="' + data.time + '">' +
871┆ data.now + ' <a href="' + noLink + '" title="Link to this post">No.</a><a href="' +
[hid 26 additional lines, adjust with --max-lines-per-finding]
985┆ el.innerHTML = '<img alt="H" class="extButton threadHideButton"'
986┆ + 'data-cmd="hide" data-id="' + tid + '" src="'
987┆ + Main.icons.minus + '" title="Hide thread">';
⋮┆----------------------------------------
1154┆ el.innerHTML = window.prettyPrintOne(el.innerHTML);
⋮┆----------------------------------------
1181┆ filename.firstElementChild.innerHTML = txt;
⋮┆----------------------------------------
1304┆ el.innerHTML = ' <a href="#" data-pid="' + pid + '" data-tid="'
1305┆ + tid + '" data-tip="Open in Tegaki" data-cmd="qr-painter-edit">Edit</a>';
⋮┆----------------------------------------
1367┆ bl.innerHTML = '<a href="' + href + '" class="quotelink">&gt;&gt;' + pid + '</a> ';
⋮┆----------------------------------------
1370┆ bl.innerHTML = '<a href="' + href + '" class="quotelink">&gt;&gt;' + pid
1371┆ + '</a><a href="' + href + '" class="quoteLink"> #</a> ';
⋮┆----------------------------------------
1411┆ el.innerHTML = oRep + oImg
1412┆ + ' omitted. <a href="thread/'
1413┆ + tid + '" class="replylink">Click here</a> to view.';
⋮┆----------------------------------------
1702┆ div.innerHTML = html + '</ul>';
⋮┆----------------------------------------
2087┆ cnt.innerHTML = '<div id="js-sf-status" class="js-sf-' + cls + '">' + msg + '</div>';
⋮┆----------------------------------------
3438┆ fileEl.innerHTML = el.getAttribute('title') || el.innerHTML;
⋮┆----------------------------------------
3674┆ el.innerHTML = '\
3675┆ <div class="extPanel reply"><div class="panelHeader"><span class="tex-
logo">T<sub>e</sub>X</span> Preview\
3676┆ <span class="panelCtrl"><img alt="Close" title="Close" class="pointer" data-cmd="close-
tex-preview" src="'
3677┆ + Main.icons.cross + '"></span></div><div id="tex-protip">Use [math][/math] tags for
inline, and [eqn][/eqn] tags for block equations.</div><textarea id="input-tex-
preview"></textarea>\
3678┆ <div id="output-tex-preview"></div></div>';
⋮┆----------------------------------------
4091┆ cnt.innerHTML =
4092┆ '<div id="qrHeader" class="drag postblock">'
4093┆ + (window.math_tags ? '<a data-cmd="open-tex-preview" class="desktop pointer left tex-
logo" '
4094┆ + 'data-tip="Preview TeX equations">T<sub>e</sub>X</a>' : '')
4095┆ + 'Reply to Thread No.<span id="qrTid">'
4096┆ + tid + '</span><img alt="X" src="' + Main.icons.cross + '" id="qrClose" '
4097┆ + 'class="extButton" title="Close Window"></div>';
⋮┆----------------------------------------
4102┆ form.innerHTML =
4103┆ (
4104┆ (mfs = $.byName('MAX_FILE_SIZE')[0])
4105┆ ? ('<input type="hidden" value="' + mfs.value + '" name="MAX_FILE_SIZE">')
4106┆ : ''
4107┆ )
4108┆ + '<input type="hidden" value="regist" name="mode">'
4109┆ + '<input id="qrResto" type="hidden" value="' + tid + '" name="resto">';
⋮┆----------------------------------------
4143┆ row.innerHTML = fields[i].children[1].innerHTML;
⋮┆----------------------------------------
4151┆ row.innerHTML = fields[i].children[1].innerHTML;
⋮┆----------------------------------------
4481┆ qrError.innerHTML = msg;
⋮┆----------------------------------------
5279┆ cnt.innerHTML = '<div class="drag" id="twHeader">'
5280┆ + (Main.hasMobileLayout ? ('<img id="twClose" class="pointer" src="'
5281┆ + Main.icons.cross + '" alt="X">') : '')
5282┆ + 'Thread Watcher'
5283┆ + (UA.hasCORS ? ('<img id="twPrune" class="pointer right" src="'
5284┆ + Main.icons.refresh + '" alt="R" title="Refresh"></div>') : '</div>');
⋮┆----------------------------------------
5418┆ ThreadWatcher.listNode.innerHTML = html;
⋮┆----------------------------------------
5834┆ dummy.innerHTML = posts[i].com;
⋮┆----------------------------------------
5919┆ msg.innerHTML = $.cls('postMessage', post)[0].innerHTML;
⋮┆----------------------------------------
5965┆ msg.innerHTML = expmsg.textContent;
⋮┆----------------------------------------
5976┆ msg.innerHTML = expmsg.textContent;
⋮┆----------------------------------------
6043┆ msg.innerHTML = posts[0].com + '<br><br>';
⋮┆----------------------------------------
6047┆ msg.innerHTML = posts[0].com;
⋮┆----------------------------------------
6702┆ this.statusNode.innerHTML
6703┆ = this.statusNodeBot.innerHTML
6704┆ = '<span class="tu-error">' + msg + '</span>';
⋮┆----------------------------------------
6812┆ this.nodeTop.innerHTML = this.nodeBot.innerHTML
6813┆ = stats.join(' / ');
⋮┆----------------------------------------
6953┆ this.entities.innerHTML
6954┆ = post.com.replace(/<br>/g, '\n').replace(/[<[^>]+>/g, '');
⋮┆----------------------------------------
7023┆ this.entities.innerHTML
7024┆ = msg.innerHTML.replace(/<br>/g, '\n').replace(/[<[^>]+>/g, '');
⋮┆----------------------------------------
7085┆ el.innerHTML = '[<a data-cmd="unfilter" data-filtered="1" href="thread/'
7086┆ + tid + '">View</a>]';
⋮┆----------------------------------------
7238┆ cnt.innerHTML = '\
7239┆ <div class="extPanel reply"><div class="panelHeader">Filters &amp; Highlights Help\
7240┆ <span class="panelCtrl"><img alt="Close" title="Close" class="pointer" data-cmd="filters-
help-close" src="'
7241┆ + Main.icons.cross + '"></span></div>\
7242┆ <h4>Tripcode, Name and ID filters:</h4>\
7243┆ <ul><li>Those use simple string comparison.</li>\
7244┆ <li>Type them exactly as they appear on 4chan, including the exclamation mark for
tripcode filters.</li>\
7245┆ <li>Example: <code>!Ep8pui8Vw2</code></li></ul>\
7246┆ <h4>Comment, Subject and E-mail filters:</h4>\
7247┆ <ul><li><strong>Matching whole words:</strong></li>\
[hid 22 additional lines, adjust with --max-lines-per-finding]
7296┆ cnt.innerHTML = '\
7297┆ <div class="extPanel reply"><div class="panelHeader">Filters &amp; Highlights\
7298┆ <span class="panelCtrl"><img alt="Help" class="pointer" title="Help" data-cmd="filters-
help-open" src="'
7299┆ + Main.icons.help
7300┆ + '"><img alt="Close" title="Close" class="pointer" data-cmd="filters-close" src="'
7301┆ + Main.icons.cross + '"></span></div>\
7302┆ <table><thead><tr>\
7303┆ <th></th>\
7304┆ <th>On</th>\
7305┆ <th>Pattern</th>\
[hid 10 additional lines, adjust with --max-lines-per-finding]
7489┆ tr.innerHTML = html;
⋮┆----------------------------------------
7528┆ cnt.innerHTML = html;
⋮┆----------------------------------------
7709┆ el.innerHTML = '[<a href="' + src.href + '">Embed</a>]';
⋮┆----------------------------------------
7869┆ el.innerHTML = el.innerHTML
7870┆ .replace(/<wbr>/g, '\u200b')
7871┆ .replace(this.linkRe, this.funk)
7872┆ .replace(/\u200b/g, '<wbr>');
⋮┆----------------------------------------
7936┆ msg.innerHTML = msg.innerHTML.replace(this.matchSC, this.replaceSoundCloud);
⋮┆----------------------------------------
7977┆ el.innerHTML = JSON.parse(this.responseText).html;
⋮┆----------------------------------------
7992┆ msg.innerHTML = msg.innerHTML.replace(this.matchYT, this.replaceYouTube);
⋮┆----------------------------------------
8083┆ el.innerHTML = '<iframe src="//www.youtube.com/embed/'
8084┆ + vid
8085┆ + '" width="640" height="360" frameborder="0" allowfullscreen></iframe>';
⋮┆----------------------------------------
8172┆ cnt.innerHTML = '\
8173┆ <div class="extPanel reply"><div class="panelHeader">Custom CSS\
8174┆ <span class="panelCtrl"><img alt="Close" title="Close" class="pointer" data-cmd="css-
close" src="'
8175┆ + Main.icons.cross + '"></span></div>\
8176┆ <textarea id="customCSSBox"></textarea>\
8177┆ <div class="center"><button data-cmd="css-save">Save CSS</button></div>\
8178┆ </td></tr></tfoot></table></div>';
⋮┆----------------------------------------
8315┆ cnt.innerHTML = '\
8316┆ <div class="extPanel reply"><div class="panelHeader">Keyboard Shortcuts\
8317┆ <span class="panelCtrl"><img data-cmd="keybinds-close" class="pointer" alt="Close"
title="Close" src="'
8318┆ + Main.icons.cross + '"></span></div>\
8319┆ <ul>\
8320┆ <li><strong>Global</strong></li>\
8321┆ <li><kbd>A</kbd> &mdash; Toggle auto-updater</li>\
8322┆ <li><kbd>Q</kbd> &mdash; Open Quick Reply</li>\
8323┆ <li><kbd>R</kbd> &mdash; Update thread</li>\
8324┆ <li><kbd>W</kbd> &mdash; Watch/Unwatch thread</li>\
[hid 11 additional lines, adjust with --max-lines-per-finding]
8615┆ cnt.innerHTML = '\
8616┆ <div class="extPanel reply"><div class="panelHeader">Custom Board List\
8617┆ <span class="panelCtrl"><img alt="Close" title="Close" class="pointer" data-close="1"
src="'
8618┆ + Main.icons.cross + '"></span></div>\
8619┆ <input placeholder="Example: jp tg mu" id="customMenuBox" type="text" value="">\
8620┆ <div class="center"><button data-save="1">Save</button></div></div>';
⋮┆----------------------------------------
9130┆ cnt.innerHTML = html;
⋮┆----------------------------------------
9154┆ cnt.innerHTML = '\
9155┆ <div class="extPanel reply"><div class="panelHeader">Export Settings\
9156┆ <span class="panelCtrl"><img data-cmd="export-close" class="pointer" alt="Close"
title="Close" src="'
9157┆ + Main.icons.cross + '"></span></div>\
9158┆ <p class="center">Copy and save the URL below, and visit it from another \
9159┆ browser or computer to restore your extension and catalog settings.</p>\
9160┆ <p class="center">\
9161┆ <input class="export-field" type="text" readonly="readonly" value="' + str + '"></p>\
9162┆ <p style="margin-top:15px" class="center">Alternatively, you can drag the link below into
your \
9163┆ bookmarks bar and click it to restore.</p>\
[hid 2 additional lines, adjust with --max-lines-per-finding]
❯❱ javascript.browser.security.raw-html-concat.raw-html-concat
User controlled data in a HTML string may result in XSS
Details: https://sg.run/4xAx
9154┆ cnt.innerHTML = '\
9155┆ <div class="extPanel reply"><div class="panelHeader">Export Settings\
9156┆ <span class="panelCtrl"><img data-cmd="export-close" class="pointer" alt="Close"
title="Close" src="'
9157┆ + Main.icons.cross + '"></span></div>\
9158┆ <p class="center">Copy and save the URL below, and visit it from another \
9159┆ browser or computer to restore your extension and catalog settings.</p>\
9160┆ <p class="center">\
9161┆ <input class="export-field" type="text" readonly="readonly" value="' + str + '"></p>\
9162┆ <p style="margin-top:15px" class="center">Alternatively, you can drag the link below into
your \
9163┆ bookmarks bar and click it to restore.</p>\
[hid 2 additional lines, adjust with --max-lines-per-finding]
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
9255┆ el.innerHTML = '<span class="feedback-' + type + '">' + msg + '</span>';
⋮┆----------------------------------------
9311┆ el.innerHTML = message || 'Change your settings';
⋮┆----------------------------------------
9386┆ el.innerHTML = '<a href="#bottom">&#9660;</a>'
9387┆ + '<a href="javascript:void(0);" id="settingsWindowLinkClassic">Settings</a>'
9388┆ + '<a href="//www.' + $L.d(Main.board) + '" target="_top">Home</a></div>';
⋮┆----------------------------------------
9821┆ hdr.innerHTML = '<img class="pointer" src="'
9822┆ + Main.icons.up + '" data-cmd="totop" alt="▲" title="Top">'
9823┆ + '<img class="pointer" src="' + Main.icons.down
9824┆ + '" data-cmd="tobottom" alt="▼" title="Bottom">';
js/janitor-unminified.js
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
66┆ cnt.innerHTML = html;
⋮┆----------------------------------------
251┆ cnt.innerHTML = html;
⋮┆----------------------------------------
369┆ this.banReqCnt.innerHTML =
370┆ '<div id="banReqHeader" class="drag postblock">Ban Request No.' + id
371┆ + '<img alt="X" src="' + Main.icons.cross + '" id="banReqClose" '
372┆ + 'class="extButton" title="Close Window"></div>'
373┆ + '<iframe src="https://sys.' + $L.d(Main.board) + '/'
374┆ + Main.board + '/admin?mode=admin&admin=banreq&id=' + id
375┆ + '&noheader=true" width="400" height="230" frameborder="0"></iframe>';
⋮┆----------------------------------------
611┆ cnt.innerHTML = html;
⋮┆----------------------------------------
772┆ cnt.innerHTML = '\
773┆ <div class="extPanel reply"><div class="panelHeader">Boards\
774┆ <span class="panelCtrl"><img alt="Close" title="Close" class="pointer" data-
cmd="boardlist-close" src="'
775┆ + Main.icons.cross + '"></a></span></div>\
776┆ <input placeholder="Example: jp tg mu or all" id="boardListBox" type="text" value="'
777┆ + (localStorage.getItem('4chan-boardlist') || '') + '">\
778┆ <div class="center"><button id="boardListSave" data-cmd="boardlist-
save">Save</button></div>\
779┆ </td></tr></tfoot></table></div>';
⋮┆----------------------------------------
909┆ el.innerHTML = message || 'Change your settings';
js/janitor.js
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
1┆ !function(){var e={cacheTTL:6e4,autoRefreshDelay:12e4,autoRefreshTimeout:null};e.initVisibi
lityAPI=function(){this.hidden="hidden",this.visibilitychange="visibilitychange","undefined
"==typeof document.hidden&&("mozHidden"in document?(this.hidden="mozHidden",this.visibility
change="mozvisibilitychange"):"webkitHidden"in document?(this.hidden="webkitHidden",this.vi
sibilitychange="webkitvisibilitychange"):"msHidden"in document&&(this.hidden="msHidden",thi
s.visibilitychange="msvisibilitychange")),document.addEventListener(this.visibilitychange,t
his.onVisibilityChange,!1)},e.init=function(){var
n,o;e.initVisibilityAPI(),(n=document.createElement("div")).className="extPanel
reply",n.id="adminToolbox",n.setAttribute("data-trackpos","AT-position"),Config["AT-
position"]?n.style.cssText=Config["AT-position"]:(n.style.right="10px",n.style.top="380px")
,n.style.position=Config.fixedAdminToolbox?"fixed":"",o='<div class="drag"
id="atHeader">Janitor Tools<img alt="Refresh" title="Refresh" src="'+Main.icons.refresh+'"
id="atRefresh" data-cmd="at-refresh" class="pointer right"></div><h4><a
href="https://'+t.reportsSubDomain+'.4chan.org/" target="_blank">Reports</a>: <span
title="Total" id="at-total">?</span> (<span title="Illegal" id="at-
illegal">?</span>)</h4><h4 id="at-msg-cnt"><a data-cmd="at-msg"
href="https://'+t.reportsSubDomain+'.4chan.org/?action=staffmessages"
target="_blank">Messages</a>: <span id="at-msg">?</span></h4>',n.innerHTML=o,document.body.
appendChild(n),e.refreshReportCount(),Draggable.set($.id("atHeader"))},e.onVisibilityChange
=function(){var t;t=e,document[e.hidden]?(clearInterval(t.autoRefreshTimeout),t.autoRefresh
Timeout=null):(t.refreshReportCount(),t.autoRefreshTimeout=setInterval(t.refreshReportCount
,t.autoRefreshDelay))},e.refreshReportCount=function(n){var
o,i;if(!0!==n&&(i=localStorage.getItem("4chan-cache-
rc"))&&(i=JSON.parse(i)).ts>Date.now()-e.cacheTTL)return $.id("at-
total").textContent=i.data[0],$.id("at-illegal").textContent=i.data[1],$.id("at-msg-
cnt").style.display=i.data[2]?"block":"",void($.id("at-
msg").textContent=i.data[2]||0);(o=new XMLHttpRequest).open("GET","https://"+t.reportsSubDo
main+".4chan.org/H429f6uIsUqU.php",!0),o.withCredentials=!0,o.onload=function(){var
e,t,n,o;if(200==this.status){try{t=JSON.parse(this.responseText)}catch(i){return void
console.log(i)}if("success"!==t.status)return void
console.log(t.message);o=(n=t.data).msg||0,$.id("at-msg-
cnt").style.display=o?"block":"",$.id("at-msg").textContent=o,$.id("at-
total").textContent=n.total,$.id("at-illegal").textContent=n.illegal,e={ts:Date.now(),data:
[n.total,n.illegal,o]},e=JSON.stringify(e),localStorage.setItem("4chan-cache-
rc",e),document.dispatchEvent(new CustomEvent("4chanATUpdated"))}else
this.onerror()},o.onerror=function(){console.log("Error while refreshing the report count
(Status: "+this.status+").")},o.onloadend=function(){$.id("atRefresh").src=Main.icons.refre
sh},$.id("atRefresh").src=Main.icons.rotate,o.send(null)},e.resetMsgCount=function(){var
e;$.id("at-msg").textContent=0,(e=localStorage.getItem("4chan-cache-
rc"))&&((e=JSON.parse(e)).data[2]=0,e=JSON.stringify(e),localStorage.setItem("4chan-cache-
rc",e))};var t={nextChunkIndex:0,nextChunk:null,chunkSize:100,reportsSubDomain:"reports"};t
.initIconsCatalog=function(){var e,t,n;if(Main.icons={up:"arrow_up.png",down:"arrow_down.pn
g",right:"arrow_right.png",download:"arrow_down2.png",refresh:"refresh.png",cross:"cross.pn
g",gis:"gis.png",iqdb:"iqdb.png",minus:"post_expand_minus.png",plus:"post_expand_plus.png",
rotate:"post_expand_rotate.gif",quote:"quote.png",report:"report.png",notwatched:"watch_thr
ead_off.png",watched:"watch_thread_on.png",help:"question.png"},t={yotsuba_new:"futaba/",fu
taba_new:"futaba/",yotsuba_b_new:"burichan/",burichan_new:"burichan/",tomorrow:"tomorrow/",
photon:"photon/"},n="//s.4cdn.org/image/",window.devicePixelRatio>=2)for(e in Main.icons)Ma
in.icons[e]=Main.icons[e].replace(".","@2x.");n+="buttons/"+t[Main.stylesheet];for(e in
Main.icons)Main.icons[e]=n+Main.icons[e]},t.apiUrlFilter=function(e){return
e+"?"+Math.round(Date.now()/1e3/3)},t.openDeletePrompt=function(e){var n,o;n='<div
class="extPanel reply"><div class="panelHeader">Delete Post No.'+(e=e.getAttribute("data-
id"))+'<span class="panelCtrl"><img alt="Close" title="Close" class="pointer" data-
cmd="close-delete-prompt" src="'+Main.icons.cross+'"></a></span></div><span id="delete-
prompt-inner"><input type="button" value="Delete Post" tabindex="-1" data-cmd="delete-post"
data-id="'+e+'"> <input type="button" value="Delete Image Only" data-cmd="delete-image"
data-id="'+e+'">',(o=document.createElement("div")).className="UIPanel",o.id="delete-prompt
",o.innerHTML=n,o.addEventListener("click",t.closeDeletePrompt,!1),document.body.appendChil
d(o),$.id("delete-prompt-
inner").firstElementChild.focus()},t.closeDeletePrompt=function(e){var n;e&&"delete-
prompt"!=e.target.id||(n=$.id("delete-prompt"))&&(n.removeEventListener("click",t.closeDele
tePrompt,!1),document.body.removeChild(n))},t.deletePost=function(e,n){var
o,i,a,s,r,d,l,c;o=e.getAttribute("data-id"),c=$.id("t"+o),a=new FormData,r="https://sys."+$
L.d(Main.board)+"/"+Main.board+"/post",d=window.thread_archived?"arcdel":"usrdel",n&&("Dele
te Image No.",a.append("onlyimgdel","on")),a.append(o,"delete"),a.append("mode",d),a.append
("pwd","janitorise"),(l=$.id("delete-prompt-inner")).textContent="Deleting...",(i=new XMLHt
tpRequest).open("POST",r),i.withCredentials=!0,i.onload=function(){if(e.src=Main.icons.cros
s,200==this.status)if(-
1!=this.responseText.indexOf("Updating")){if(n)(s=$.id("f"+o)).innerHTML='<span
class="fileThumb"><img alt="File deleted." src="//s.4cdn.org/image/filedeleted'+(c?"":"-
res")+'.gif"></span>';else{if(o==Main.tid)return void(location.href="//boards."+$L.d(Main.b
oard)+"/"+Main.board+"/");c?((s=c.parentNode).removeChild(c.nextElementSibling),s.removeChi
ld(c)):(s=$.id("pc"+o)).parentNode.removeChild(s)}t.closeDeletePrompt()}else
l.textContent="Error: Post might have already been deleted, or is a sticky.";else
l.textContent="Error: Wrong status while deleting No."+o+" (Status:
"+this.status+")."},i.onerror=function(){l.textContent="Error: Error while deleting
No."+o+" (Status: "+this.status+")."},i.send(a)},t.openBanReqWindow=function(e){var
t;t=e.getAttribute("data-id"),window.open("https://sys."+$L.d(Main.board)+"/"+Main.board+"/
admin?mode=admin&admin=banreq&id="+t,"_blank","scrollBars=yes,resizable=no,toolbar=no,menub
ar=no,location=no,directories=no,width=400,height=245")},t.openBanReqFrame=function(e){var
n;this.banReqCnt&&this.close(),n=e.getAttribute("data-id"),this.banReqCnt=document.createEl
ement("div"),this.banReqCnt.id="banReq",this.banReqCnt.className="extPanel
reply",this.banReqCnt.setAttribute("data-trackpos","banReq-position"),Config["banReq-
position"]?this.banReqCnt.style.cssText=Config["banReq-position"]:(this.banReqCnt.style.rig
ht="0px",this.banReqCnt.style.top="50px"),this.banReqCnt.innerHTML='<div id="banReqHeader"
class="drag postblock">Ban Request No.'+n+'<img alt="X" src="'+Main.icons.cross+'"
id="banReqClose" class="extButton" title="Close Window"></div><iframe src="https://sys.'+$L
.d(Main.board)+"/"+Main.board+"/admin?mode=admin&admin=banreq&id="+n+'&noheader=true"
width="400" height="230" frameborder="0"></iframe>',document.body.appendChild(this.banReqCn
t),window.addEventListener("message",t.onMessage,!1),document.addEventListener("keydown",t.
onKeyDown,!1),$.id("banReqClose").addEventListener("click",t.closeBanReqFrame,!1),Draggable
.set($.id("banReqHeader"))},t.closeBanReqFrame=function(){window.removeEventListener("messa
ge",t.onMessage,!1),document.removeEventListener("keydown",t.onKeyDown,!1),Draggable.unset(
$.id("banReqHeader")),$.id("banReqClose").removeEventListener("click",t.closeBanReqFrame,!1
),document.body.removeChild(t.banReqCnt),t.banReqCnt=null},t.processMessage=function(e){ret
urn e?{cmd:(e=e.split("-"))[0],type:e[1],id:e.slice(2).join("-
")}:{}},t.onKeyDown=function(e){27!=e.keyCode||e.ctrlKey||e.altKey||e.shiftKey||e.metaKey||
t.closeBanReqFrame()},t.onMessage=function(e){var n;e.origin==="https://sys."+$L.d(Main.boa
rd)&&"ban"===(n=t.processMessage(e.data)).type&&("done"!==n.cmd&&"cancel"!==n.cmd||t.closeB
anReqFrame())},t.onClick=function(n){var
o,i;if((o=n.target)!=document&&(i=o.getAttribute("data-cmd")))switch(i){case"at-
refresh":e.refreshReportCount(!0);break;case"delete-post":case"delete-
image":t.deletePost(o,"delete-image"===i);break;case"open-delete-
prompt":t.openDeletePrompt(o);break;case"close-delete-
prompt":t.closeDeletePrompt();break;case"open-banreq-
prompt":Config.inlinePopups?t.openBanReqFrame(o):t.openBanReqWindow(o);break;case"at-
msg":e.resetMsgCount();break;case"toggle-file-
spoiler":t.setFileSpoiler(o);break;case"prompt-spoiler":confirm("Toggle
spoiler?")&&t.setFileSpoiler(o);break;case"boardlist-
open":t.openBoardList();break;case"boardlist-
close":t.closeBoardList();break;case"boardlist-
save":t.saveBoardList(),t.closeBoardList()}},t.onScroll=function(){for(var e;t.nextChunk.of
fsetTop<document.documentElement.clientHeight+window.scrollY;){if((e=t.nextChunkIndex+t.chu
nkSize)>=t.postCount)return t.parseRange(t.nextChunkIndex,t.postCount),window.removeEventLi
stener("scroll",t.onScroll,!1),!1;t.parseRange(t.nextChunkIndex,e)}return!0},t.parseRange=f
unction(e,n){var o,i,a;for(a=document.getElementById("t"+Main.tid).getElementsByClassName("
postInfo"),o=e;o<n&&(i=a[o]);++o)t.parsePost(i);t.nextChunkIndex=o,t.nextChunk=a[o]},t.onPa
rsingDone=function(e){var n,o,i,a,s;if(Config.useIconButtons)for(e?(o=e.detail.threadId,i=e
.detail.offset,a=e.detail.limit,s=document.getElementById("t"+o).getElementsByClassName("po
stInfo")):(i=0,a=(s=document.getElementsByClassName("postInfo")).length),n=i;n<a;++n)t.pars
ePost(s[n])},t.onPostMenuReady=function(e){var
t,n,o,i;n=e.detail.postId,o=e.detail.node,(t=document.createElement("li")).className="dd-
admin",t.setAttribute("data-cmd","open-delete-prompt"),t.setAttribute("data-id",n),t.textCo
ntent="Delete",o.appendChild(t),window.spoilers&&(t=$.id("fT"+n))&&(i=$.cls("imgspoiler",t.
parentNode)[0]?0:1,(t=document.createElement("li")).className="dd-
admin",t.setAttribute("data-cmd","toggle-file-spoiler"),t.setAttribute("data-
id",n),t.setAttribute("data-flag",i),t.textContent=(i?"Set":"Unset")+" Spoiler",o.appendChi
ld(t)),window.thread_archived||((t=document.createElement("li")).className="dd-
admin",t.setAttribute("data-cmd","open-banreq-prompt"),t.setAttribute("data-
id",n),t.textContent="Ban request",o.appendChild(t))},t.parsePost=function(e){var
n,o,i,a;o='<img class="extButton" alt="X" data-cmd="open-delete-prompt" data-
id="'+(n=e.id.slice(2))+'" src="'+Main.icons.cross+'"
title="Delete">',window.spoilers&&(el=$.id("fT"+n))&&(o+='<img class="extButton" alt="S"
data-cmd="prompt-spoiler" data-id="'+n+'" src="'+t.icons.spoiler+'" title="Toggle
Spoiler">'),window.thread_archived||(o+='<img class="extButton" alt="B" data-cmd="open-
banreq-prompt" data-id="'+n+'" src="'+t.icons.ban+'" title="Ban Request">'),(i=document.cre
ateElement("div")).className="extControls",i.innerHTML=o,a=e.getElementsByClassName("postMe
nuBtn")[0],e.insertBefore(i,a)},t.displayJCount=function(e,t,n,o){var
i;$.addClass(e,"j-newposts"),$.addClass(t,"j-newposts"),e.setAttribute("data-
no",n),t.setAttribute("data-no",n),e.textContent=t.textContent="j +"+o,i=o+" new
post"+(o>1?"s":""),Main.addTooltip(e,i,"j-tooltip"),Main.addTooltip(t,i,"j-tooltip-
bot")},t.refreshJCount=function(){var e,n,o,i;n=$.id("j-link"),o=$.id("j-link-
bot"),n&&o&&(n=n.firstElementChild,o=o.firstElementChild,(e=localStorage.getItem("4chan-j-
count"))&&(e=JSON.parse(e)),!e||Date.now()-e.time>=1e4?((i=new XMLHttpRequest).open("GET","
https://sys.4chan.org/j/1mcQTXbjW5WO.php?&"+Date.now()),i.withCredentials=!0,i.onloadend=fu
nction(){var i,a,s;200==this.status||304==this.status?(i=JSON.parse(this.responseText),e&&"
j"!=Main.board?i.no>e.no&&(s=i.no-
e.no,t.displayJCount(n,o,i.no,s),a={time:Date.now(),no:e.no,delta:s}):a={time:Date.now(),no
:i.no},a&&localStorage.setItem("4chan-j-count",JSON.stringify(a))):console.log("Error:
Could not load /j/ post count (Status: "+this.status+").")},i.send(null)):e.delta&&t.displa
yJCount(n,o,e.no,e.delta))},t.clearJCount=function(){var
e,t,n,o;n=$.id("j-tooltip"),o=$.id("j-tooltip-bot"),n&&(t=this.getAttribute("data-
no"),e={time:Date.now(),no:t},localStorage.setItem("4chan-j-count",JSON.stringify(e)),n.par
entNode.removeChild(n),o.parentNode.removeChild(o),setTimeout(function(){var e=$.cls("j-
newposts");e[0]&&(e[0].textContent="j",$.removeClass(e[0],"j-
newposts"),e[0].textContent="j",$.removeClass(e[0],"j-
newposts"))},10))},t.icons={ban:"ban.png",spoiler:"s.png"},t.initIcons=function(){var e,n;i
f(n="//s.4cdn.org/image/buttons/"+{yotsuba_new:"futaba/",futaba_new:"futaba/",yotsuba_b_new
:"burichan/",burichan_new:"burichan/",tomorrow:"tomorrow/",photon:"photon/"}[Main.styleshee
t],window.devicePixelRatio>=2)for(e in
t.icons)t.icons[e]=t.icons[e].replace(".","@2x.");for(e in
t.icons)t.icons[e]=n+t.icons[e]},t.initNavLinks=function(){var e,n,o;n=$.id("navtopright"),
o=$.id("navbotright"),(e=document.createElement("span")).id="j-link",e.innerHTML='[<a
href="https://sys.4chan.org/j/" title="Janitor &amp; Moderator Discussion">j</a>]',e.firstE
lementChild.addEventListener("mouseup",t.clearJCount,!1),n.parentNode.insertBefore(e,n),(e=
e.cloneNode(!0)).id="j-link-bot",e.firstElementChild.addEventListener("mouseup",t.clearJCou
nt,!1),o.parentNode.insertBefore(e,o),t.refreshJCount()},t.openBoardList=function(){var e;
$.id("boardList")||((e=document.createElement("div")).id="boardList",e.className="UIPanel",
e.setAttribute("data-cmd","boardlist-close"),e.innerHTML='<div class="extPanel reply"><div
class="panelHeader">Boards<span class="panelCtrl"><img alt="Close" title="Close"
class="pointer" data-cmd="boardlist-close"
src="'+Main.icons.cross+'"></a></span></div><input placeholder="Example: jp tg mu or all"
id="boardListBox" type="text" value="'+(localStorage.getItem("4chan-
boardlist")||"")+'"><div class="center"><button id="boardListSave" data-cmd="boardlist-save
">Save</button></div></td></tr></tfoot></table></div>',document.body.appendChild(e),e.addEv
entListener("click",this.onClick,!1))},t.saveBoardList=function(){var
e;(e=$.id("boardListBox"))&&localStorage.setItem("4chan-
boardlist",e.value)},t.closeBoardList=function(){var e;(e=$.id("boardList"))&&(e.removeEven
tListener("click",this.onClick,!1),document.body.removeChild(e))},t.setFileSpoiler=function
(e){var n,o,i,a;o=e.getAttribute("data-id"),i=e.getAttribute("data-flag"),o&&(a=$.id("f"+o)
,i||(i=$.cls("imgspoiler",a.parentNode)[0]?0:1),a&&!a.hasAttribute("data-
processing")&&((n=new XMLHttpRequest).open("GET","https://sys."+$L.d(Main.board)+"/"+Main.b
oard+"/admin.php?admin=spoiler&pid="+o+"&flag="+i,!0),n.withCredentials=!0,n.onload=t.onFil
eSpoilerLoad,n.onerror=t.onFileSpoilerError,n._pid=+o,n._flag=+i,Feedback.notify("Processin
g...",null),a.setAttribute("data-
processing","1"),n.send(null)))},t.onFileSpoilerLoad=function(){var e,t;Feedback.hideMessag
e(),"1"===this.responseText?(e=$.id("f"+this._pid))&&(e.removeAttribute("data-processing"),
(e=$.cls("fileThumb",e)[0])&&(this._flag?($.addClass(e,"imgspoiler"),(t=e.previousElementSi
bling).setAttribute("title",t.firstElementChild.textContent),Config.revealSpoilers||((e=$.t
ag("img",e)[0]).style.width=e.style.height="100px",e.src="//s.4cdn.org/image/spoiler-
"+Main.board+".png")):(Config.revealSpoilers||Parser.revealImageSpoiler(e),$.removeClass(e,
"imgspoiler")))):"-1"===this.responseText?Feedback.error("You are not logged
in"):Feedback.error("Couldn't set spoiler flag for post
No."+this._pid)},t.onFileSpoilerError=function(){var
e;(e=$.id("f"+this._pid))&&(e.removeAttribute("data-processing"),Feedback.error("Couldn't
update the spoiler flag for post No."+this.pid))},t.initCatalog=function(){window.Main={boa
rd:location.pathname.split(/\//)[1]},window.Main.addTooltip=function(e,t,n){var
o,i;return(o=document.createElement("div")).className="click-
me",n&&(o.id=n),o.innerHTML=t||"Change your settings",e.parentNode.appendChild(o),i=(e.offs
etWidth-o.offsetWidth+e.offsetLeft-
o.offsetLeft)/2,o.style.marginLeft=i+"px",o},(t.stylesheet=t.getCookie(window.style_group))
?t.stylesheet=t.stylesheet.toLowerCase().replace(/ /g,"_"):t.stylesheet="nws_style"==style_
group?"yotsuba_new":"yotsuba_b_new",Main.stylesheet=t.stylesheet,t.initIconsCatalog(),t.add
Css(),document.addEventListener("click",t.onClick,!1),t.runCatalog()},t.runCatalog=function
(){var n;t.initNavLinks(),FC.hasMobileLayout||e.init(),n=$.id("threads"),$.on(n,"mouseover"
,t.onThreadMouseOver)},t.init=function(){Config.boardList=!0,SettingsMenu.options.Janitor={
boardList:['Janitor Boards [<a href="javascript:;" data-cmd="boardlist-
open">Select</a>]',"Select boards to enable janitor buttons on",!0],useIconButtons:["Use
icon buttons","Display old-style buttons instead of using drop-
down"],changeUpdateDelay:["Reduce auto-update delay","Reduce the thread updater
delay",!0],fixedAdminToolbox:["Pin Janitor Tools to the page","Janitor Tools will scroll
with you"],inlinePopups:["Inline ban request panel","Open ban request panel in browser
window, instead of a popup"],disableMngExt:["Disable janitor extension","Completely disable
the janitor extension (overrides any checked boxes)",!0]},Config.disableMngExt||(t.addCss()
,Config.useIconButtons&&t.initIcons(),QR.noCooldown=QR.noCaptcha=!0,document.addEventListen
er("click",t.onClick,!1),document.addEventListener("DOMContentLoaded",t.run,!1))},t.run=fun
ction(){var n,o,i,a;document.removeEventListener("DOMContentLoaded",t.run,!1),t.initNavLink
s(),Main.hasMobileLayout||e.init(),Config.revealSpoilers&&$.addClass(document.body,"reveal-
img-spoilers"),Config.threadUpdater&&Main.tid&&Config.changeUpdateDelay&&(ThreadUpdater.del
ayIdHidden=3,ThreadUpdater.delayRange=[5,10,15,20,30,60],ThreadUpdater.apiUrlFilter=t.apiUr
lFilter),n=localStorage.getItem("4chan-
boardlist")||"","j"==Main.board||"all"!=n&&-1==n.split(/[, ]+/).indexOf(Main.board)||(Confi
g.useIconButtons&&!Main.hasMobileLayout&&(Main.tid?(o=document.getElementById("t"+Main.tid)
.getElementsByClassName("postInfo"),t.postCount=o.length,t.postCount>t.chunkSize?(t.nextChu
nk=o[0],window.addEventListener("scroll",t.onScroll,!1),t.onScroll()):t.onParsingDone()):t.
onParsingDone(),document.addEventListener("4chanParsingDone",t.onParsingDone,!1)),document.
addEventListener("4chanPostMenuReady",t.onPostMenuReady,!1)),(i=$.id("boardSelectMobile"))&
&((a=document.createElement("option")).value="j",a.textContent="/j/ - Janitors &
Moderators",i.insertBefore(a,i.firstElementChild))},t.getCookie=function(e){var
t,n,o,i;for(i=e+"=",o=document.cookie.split(";"),t=0;n=o[t];++t){for(;"
"==n.charAt(0);)n=n.substring(1,n.length);if(0===n.indexOf(i))return
decodeURIComponent(n.substring(i.length,n.length))}return null},t.addCss=function(){var
e,t;t='#adminToolbox { max-width: 256px; display: block; position: absolute; padding:
3px;}#adminToolbox h4 { font-size: 12px; margin: 2px 0 0; padding: 0; font-weight:
normal;}#adminToolbox li { list-style: none;}#adminToolbox ul { padding: 0; margin: 2px
0 0 10px;}#atHeader { height: 17px; font-weight: bold; padding-bottom: 2px;}#atRefresh {
margin: -1px 0 0 3px;}.post-ip { margin-left: 5px;}#delete-prompt > div { text-align:
center;}#watchList li:first-child { margin-top: 3px; padding-top: 2px; border-top: 1px
solid rgba(0, 0, 0, 0.20);}.photon #atHeader { border-bottom: 1px solid #ccc;}.yotsuba_new
#atHeader { border-bottom: 1px solid #d9bfb7;}.yotsuba_b_new #atHeader { border-bottom:
1px solid #b7c5d9;}.tomorrow #atHeader { border-bottom: 1px solid #111;}#at-illegal {
color: red;}#at-msg-cnt { display: none;}.j-newposts { font-weight: bold
!important;}#j-link,#j-link-bot { margin-right: 3px; display: inline-block; margin-left:
3px;}#boardList input { width: 385px; margin: auto; display: block;}#boardListSave {
margin-top: 5px;}#banReqClose { float: right;}#banReq iframe { overflow: hidden;}#banReq
{ display: block; position: fixed; padding: 2px; font-size: 10pt; height:
250px;}#banReqHeader { text-align: center; margin-bottom: 1px; padding: 0; height:
18px; line-height: 18px;}#captchaFormPart { display: none;}.mobileExtControls { float:
right; font-size: 11px; margin-bottom: 3px;}.ws .mobileExtControls { color:
#34345C;}.nws .mobileExtControls { color: #0000EE;}.reply .mobileExtControls { margin-
right: 5px;}.mobileExtControls span { margin-left: 10px;}.mobileExtControls span:after {
content: "]";}.mobileExtControls span:before { content: "[";}.nws .mobileExtControls
span:after { color: #800000;}.nws .mobileExtControls span:before { color: #800000;}.ws
.mobileExtControls span:after { color: #000;}.ws .mobileExtControls span:before { color:
#000;}.m-dark .mobileExtControls,.m-dark .mobileExtControls span:after,.m-dark
.mobileExtControls span:before { color: #707070 !important;}.dd-admin { text-indent:
5px;}.dd-admin:before { color: #FF0000; content: "\u2022"; left: -3px; position:
absolute;}.extPanel { border: 1px solid rgba(0, 0, 0, 0.2);}.extPanel img.pointer { width:
18px; height: 18px }.drag { -moz-user-select: none !important; cursor: move
!important;}.reveal-img-spoilers .imgspoiler::before { content: " "; width:0.75em;
height:0.75em; border-radius: 0.5em; position: absolute; display: block; background:
red; margin-top: 1px; margin-left: 1px; pointer-events: none;}.reveal-img-
spoilers.is_catalog .imgspoiler::before { margin-top: 4px; margin-left: 12px;}.reveal-img-
spoilers .imgspoiler:hover::before { background: #fff; }',(e=document.createElement("style"
)).setAttribute("type","text/css"),e.textContent=t,document.head.appendChild(e)},/https?:\/
\/boards\.(?:4chan|4channel)\.org\/[a-z0-
9]+\/catalog($|#.*$)/.test(location.href)?t.initCatalog():t.init()}();
⋮┆----------------------------------------
1┆ !function(){var e={cacheTTL:6e4,autoRefreshDelay:12e4,autoRefreshTimeout:null};e.initVisibi
lityAPI=function(){this.hidden="hidden",this.visibilitychange="visibilitychange","undefined
"==typeof document.hidden&&("mozHidden"in document?(this.hidden="mozHidden",this.visibility
change="mozvisibilitychange"):"webkitHidden"in document?(this.hidden="webkitHidden",this.vi
sibilitychange="webkitvisibilitychange"):"msHidden"in document&&(this.hidden="msHidden",thi
s.visibilitychange="msvisibilitychange")),document.addEventListener(this.visibilitychange,t
his.onVisibilityChange,!1)},e.init=function(){var
n,o;e.initVisibilityAPI(),(n=document.createElement("div")).className="extPanel
reply",n.id="adminToolbox",n.setAttribute("data-trackpos","AT-position"),Config["AT-
position"]?n.style.cssText=Config["AT-position"]:(n.style.right="10px",n.style.top="380px")
,n.style.position=Config.fixedAdminToolbox?"fixed":"",o='<div class="drag"
id="atHeader">Janitor Tools<img alt="Refresh" title="Refresh" src="'+Main.icons.refresh+'"
id="atRefresh" data-cmd="at-refresh" class="pointer right"></div><h4><a
href="https://'+t.reportsSubDomain+'.4chan.org/" target="_blank">Reports</a>: <span
title="Total" id="at-total">?</span> (<span title="Illegal" id="at-
illegal">?</span>)</h4><h4 id="at-msg-cnt"><a data-cmd="at-msg"
href="https://'+t.reportsSubDomain+'.4chan.org/?action=staffmessages"
target="_blank">Messages</a>: <span id="at-msg">?</span></h4>',n.innerHTML=o,document.body.
appendChild(n),e.refreshReportCount(),Draggable.set($.id("atHeader"))},e.onVisibilityChange
=function(){var t;t=e,document[e.hidden]?(clearInterval(t.autoRefreshTimeout),t.autoRefresh
Timeout=null):(t.refreshReportCount(),t.autoRefreshTimeout=setInterval(t.refreshReportCount
,t.autoRefreshDelay))},e.refreshReportCount=function(n){var
o,i;if(!0!==n&&(i=localStorage.getItem("4chan-cache-
rc"))&&(i=JSON.parse(i)).ts>Date.now()-e.cacheTTL)return $.id("at-
total").textContent=i.data[0],$.id("at-illegal").textContent=i.data[1],$.id("at-msg-
cnt").style.display=i.data[2]?"block":"",void($.id("at-
msg").textContent=i.data[2]||0);(o=new XMLHttpRequest).open("GET","https://"+t.reportsSubDo
main+".4chan.org/H429f6uIsUqU.php",!0),o.withCredentials=!0,o.onload=function(){var
e,t,n,o;if(200==this.status){try{t=JSON.parse(this.responseText)}catch(i){return void
console.log(i)}if("success"!==t.status)return void
console.log(t.message);o=(n=t.data).msg||0,$.id("at-msg-
cnt").style.display=o?"block":"",$.id("at-msg").textContent=o,$.id("at-
total").textContent=n.total,$.id("at-illegal").textContent=n.illegal,e={ts:Date.now(),data:
[n.total,n.illegal,o]},e=JSON.stringify(e),localStorage.setItem("4chan-cache-
rc",e),document.dispatchEvent(new CustomEvent("4chanATUpdated"))}else
this.onerror()},o.onerror=function(){console.log("Error while refreshing the report count
(Status: "+this.status+").")},o.onloadend=function(){$.id("atRefresh").src=Main.icons.refre
sh},$.id("atRefresh").src=Main.icons.rotate,o.send(null)},e.resetMsgCount=function(){var
e;$.id("at-msg").textContent=0,(e=localStorage.getItem("4chan-cache-
rc"))&&((e=JSON.parse(e)).data[2]=0,e=JSON.stringify(e),localStorage.setItem("4chan-cache-
rc",e))};var t={nextChunkIndex:0,nextChunk:null,chunkSize:100,reportsSubDomain:"reports"};t
.initIconsCatalog=function(){var e,t,n;if(Main.icons={up:"arrow_up.png",down:"arrow_down.pn
g",right:"arrow_right.png",download:"arrow_down2.png",refresh:"refresh.png",cross:"cross.pn
g",gis:"gis.png",iqdb:"iqdb.png",minus:"post_expand_minus.png",plus:"post_expand_plus.png",
rotate:"post_expand_rotate.gif",quote:"quote.png",report:"report.png",notwatched:"watch_thr
ead_off.png",watched:"watch_thread_on.png",help:"question.png"},t={yotsuba_new:"futaba/",fu
taba_new:"futaba/",yotsuba_b_new:"burichan/",burichan_new:"burichan/",tomorrow:"tomorrow/",
photon:"photon/"},n="//s.4cdn.org/image/",window.devicePixelRatio>=2)for(e in Main.icons)Ma
in.icons[e]=Main.icons[e].replace(".","@2x.");n+="buttons/"+t[Main.stylesheet];for(e in
Main.icons)Main.icons[e]=n+Main.icons[e]},t.apiUrlFilter=function(e){return
e+"?"+Math.round(Date.now()/1e3/3)},t.openDeletePrompt=function(e){var n,o;n='<div
class="extPanel reply"><div class="panelHeader">Delete Post No.'+(e=e.getAttribute("data-
id"))+'<span class="panelCtrl"><img alt="Close" title="Close" class="pointer" data-
cmd="close-delete-prompt" src="'+Main.icons.cross+'"></a></span></div><span id="delete-
prompt-inner"><input type="button" value="Delete Post" tabindex="-1" data-cmd="delete-post"
data-id="'+e+'"> <input type="button" value="Delete Image Only" data-cmd="delete-image"
data-id="'+e+'">',(o=document.createElement("div")).className="UIPanel",o.id="delete-prompt
",o.innerHTML=n,o.addEventListener("click",t.closeDeletePrompt,!1),document.body.appendChil
d(o),$.id("delete-prompt-
inner").firstElementChild.focus()},t.closeDeletePrompt=function(e){var n;e&&"delete-
prompt"!=e.target.id||(n=$.id("delete-prompt"))&&(n.removeEventListener("click",t.closeDele
tePrompt,!1),document.body.removeChild(n))},t.deletePost=function(e,n){var
o,i,a,s,r,d,l,c;o=e.getAttribute("data-id"),c=$.id("t"+o),a=new FormData,r="https://sys."+$
L.d(Main.board)+"/"+Main.board+"/post",d=window.thread_archived?"arcdel":"usrdel",n&&("Dele
te Image No.",a.append("onlyimgdel","on")),a.append(o,"delete"),a.append("mode",d),a.append
("pwd","janitorise"),(l=$.id("delete-prompt-inner")).textContent="Deleting...",(i=new XMLHt
tpRequest).open("POST",r),i.withCredentials=!0,i.onload=function(){if(e.src=Main.icons.cros
s,200==this.status)if(-
1!=this.responseText.indexOf("Updating")){if(n)(s=$.id("f"+o)).innerHTML='<span
class="fileThumb"><img alt="File deleted." src="//s.4cdn.org/image/filedeleted'+(c?"":"-
res")+'.gif"></span>';else{if(o==Main.tid)return void(location.href="//boards."+$L.d(Main.b
oard)+"/"+Main.board+"/");c?((s=c.parentNode).removeChild(c.nextElementSibling),s.removeChi
ld(c)):(s=$.id("pc"+o)).parentNode.removeChild(s)}t.closeDeletePrompt()}else
l.textContent="Error: Post might have already been deleted, or is a sticky.";else
l.textContent="Error: Wrong status while deleting No."+o+" (Status:
"+this.status+")."},i.onerror=function(){l.textContent="Error: Error while deleting
No."+o+" (Status: "+this.status+")."},i.send(a)},t.openBanReqWindow=function(e){var
t;t=e.getAttribute("data-id"),window.open("https://sys."+$L.d(Main.board)+"/"+Main.board+"/
admin?mode=admin&admin=banreq&id="+t,"_blank","scrollBars=yes,resizable=no,toolbar=no,menub
ar=no,location=no,directories=no,width=400,height=245")},t.openBanReqFrame=function(e){var
n;this.banReqCnt&&this.close(),n=e.getAttribute("data-id"),this.banReqCnt=document.createEl
ement("div"),this.banReqCnt.id="banReq",this.banReqCnt.className="extPanel
reply",this.banReqCnt.setAttribute("data-trackpos","banReq-position"),Config["banReq-
position"]?this.banReqCnt.style.cssText=Config["banReq-position"]:(this.banReqCnt.style.rig
ht="0px",this.banReqCnt.style.top="50px"),this.banReqCnt.innerHTML='<div id="banReqHeader"
class="drag postblock">Ban Request No.'+n+'<img alt="X" src="'+Main.icons.cross+'"
id="banReqClose" class="extButton" title="Close Window"></div><iframe src="https://sys.'+$L
.d(Main.board)+"/"+Main.board+"/admin?mode=admin&admin=banreq&id="+n+'&noheader=true"
width="400" height="230" frameborder="0"></iframe>',document.body.appendChild(this.banReqCn
t),window.addEventListener("message",t.onMessage,!1),document.addEventListener("keydown",t.
onKeyDown,!1),$.id("banReqClose").addEventListener("click",t.closeBanReqFrame,!1),Draggable
.set($.id("banReqHeader"))},t.closeBanReqFrame=function(){window.removeEventListener("messa
ge",t.onMessage,!1),document.removeEventListener("keydown",t.onKeyDown,!1),Draggable.unset(
$.id("banReqHeader")),$.id("banReqClose").removeEventListener("click",t.closeBanReqFrame,!1
),document.body.removeChild(t.banReqCnt),t.banReqCnt=null},t.processMessage=function(e){ret
urn e?{cmd:(e=e.split("-"))[0],type:e[1],id:e.slice(2).join("-
")}:{}},t.onKeyDown=function(e){27!=e.keyCode||e.ctrlKey||e.altKey||e.shiftKey||e.metaKey||
t.closeBanReqFrame()},t.onMessage=function(e){var n;e.origin==="https://sys."+$L.d(Main.boa
rd)&&"ban"===(n=t.processMessage(e.data)).type&&("done"!==n.cmd&&"cancel"!==n.cmd||t.closeB
anReqFrame())},t.onClick=function(n){var
o,i;if((o=n.target)!=document&&(i=o.getAttribute("data-cmd")))switch(i){case"at-
refresh":e.refreshReportCount(!0);break;case"delete-post":case"delete-
image":t.deletePost(o,"delete-image"===i);break;case"open-delete-
prompt":t.openDeletePrompt(o);break;case"close-delete-
prompt":t.closeDeletePrompt();break;case"open-banreq-
prompt":Config.inlinePopups?t.openBanReqFrame(o):t.openBanReqWindow(o);break;case"at-
msg":e.resetMsgCount();break;case"toggle-file-
spoiler":t.setFileSpoiler(o);break;case"prompt-spoiler":confirm("Toggle
spoiler?")&&t.setFileSpoiler(o);break;case"boardlist-
open":t.openBoardList();break;case"boardlist-
close":t.closeBoardList();break;case"boardlist-
save":t.saveBoardList(),t.closeBoardList()}},t.onScroll=function(){for(var e;t.nextChunk.of
fsetTop<document.documentElement.clientHeight+window.scrollY;){if((e=t.nextChunkIndex+t.chu
nkSize)>=t.postCount)return t.parseRange(t.nextChunkIndex,t.postCount),window.removeEventLi
stener("scroll",t.onScroll,!1),!1;t.parseRange(t.nextChunkIndex,e)}return!0},t.parseRange=f
unction(e,n){var o,i,a;for(a=document.getElementById("t"+Main.tid).getElementsByClassName("
postInfo"),o=e;o<n&&(i=a[o]);++o)t.parsePost(i);t.nextChunkIndex=o,t.nextChunk=a[o]},t.onPa
rsingDone=function(e){var n,o,i,a,s;if(Config.useIconButtons)for(e?(o=e.detail.threadId,i=e
.detail.offset,a=e.detail.limit,s=document.getElementById("t"+o).getElementsByClassName("po
stInfo")):(i=0,a=(s=document.getElementsByClassName("postInfo")).length),n=i;n<a;++n)t.pars
ePost(s[n])},t.onPostMenuReady=function(e){var
t,n,o,i;n=e.detail.postId,o=e.detail.node,(t=document.createElement("li")).className="dd-
admin",t.setAttribute("data-cmd","open-delete-prompt"),t.setAttribute("data-id",n),t.textCo
ntent="Delete",o.appendChild(t),window.spoilers&&(t=$.id("fT"+n))&&(i=$.cls("imgspoiler",t.
parentNode)[0]?0:1,(t=document.createElement("li")).className="dd-
admin",t.setAttribute("data-cmd","toggle-file-spoiler"),t.setAttribute("data-
id",n),t.setAttribute("data-flag",i),t.textContent=(i?"Set":"Unset")+" Spoiler",o.appendChi
ld(t)),window.thread_archived||((t=document.createElement("li")).className="dd-
admin",t.setAttribute("data-cmd","open-banreq-prompt"),t.setAttribute("data-
id",n),t.textContent="Ban request",o.appendChild(t))},t.parsePost=function(e){var
n,o,i,a;o='<img class="extButton" alt="X" data-cmd="open-delete-prompt" data-
id="'+(n=e.id.slice(2))+'" src="'+Main.icons.cross+'"
title="Delete">',window.spoilers&&(el=$.id("fT"+n))&&(o+='<img class="extButton" alt="S"
data-cmd="prompt-spoiler" data-id="'+n+'" src="'+t.icons.spoiler+'" title="Toggle
Spoiler">'),window.thread_archived||(o+='<img class="extButton" alt="B" data-cmd="open-
banreq-prompt" data-id="'+n+'" src="'+t.icons.ban+'" title="Ban Request">'),(i=document.cre
ateElement("div")).className="extControls",i.innerHTML=o,a=e.getElementsByClassName("postMe
nuBtn")[0],e.insertBefore(i,a)},t.displayJCount=function(e,t,n,o){var
i;$.addClass(e,"j-newposts"),$.addClass(t,"j-newposts"),e.setAttribute("data-
no",n),t.setAttribute("data-no",n),e.textContent=t.textContent="j +"+o,i=o+" new
post"+(o>1?"s":""),Main.addTooltip(e,i,"j-tooltip"),Main.addTooltip(t,i,"j-tooltip-
bot")},t.refreshJCount=function(){var e,n,o,i;n=$.id("j-link"),o=$.id("j-link-
bot"),n&&o&&(n=n.firstElementChild,o=o.firstElementChild,(e=localStorage.getItem("4chan-j-
count"))&&(e=JSON.parse(e)),!e||Date.now()-e.time>=1e4?((i=new XMLHttpRequest).open("GET","
https://sys.4chan.org/j/1mcQTXbjW5WO.php?&"+Date.now()),i.withCredentials=!0,i.onloadend=fu
nction(){var i,a,s;200==this.status||304==this.status?(i=JSON.parse(this.responseText),e&&"
j"!=Main.board?i.no>e.no&&(s=i.no-
e.no,t.displayJCount(n,o,i.no,s),a={time:Date.now(),no:e.no,delta:s}):a={time:Date.now(),no
:i.no},a&&localStorage.setItem("4chan-j-count",JSON.stringify(a))):console.log("Error:
Could not load /j/ post count (Status: "+this.status+").")},i.send(null)):e.delta&&t.displa
yJCount(n,o,e.no,e.delta))},t.clearJCount=function(){var
e,t,n,o;n=$.id("j-tooltip"),o=$.id("j-tooltip-bot"),n&&(t=this.getAttribute("data-
no"),e={time:Date.now(),no:t},localStorage.setItem("4chan-j-count",JSON.stringify(e)),n.par
entNode.removeChild(n),o.parentNode.removeChild(o),setTimeout(function(){var e=$.cls("j-
newposts");e[0]&&(e[0].textContent="j",$.removeClass(e[0],"j-
newposts"),e[0].textContent="j",$.removeClass(e[0],"j-
newposts"))},10))},t.icons={ban:"ban.png",spoiler:"s.png"},t.initIcons=function(){var e,n;i
f(n="//s.4cdn.org/image/buttons/"+{yotsuba_new:"futaba/",futaba_new:"futaba/",yotsuba_b_new
:"burichan/",burichan_new:"burichan/",tomorrow:"tomorrow/",photon:"photon/"}[Main.styleshee
t],window.devicePixelRatio>=2)for(e in
t.icons)t.icons[e]=t.icons[e].replace(".","@2x.");for(e in
t.icons)t.icons[e]=n+t.icons[e]},t.initNavLinks=function(){var e,n,o;n=$.id("navtopright"),
o=$.id("navbotright"),(e=document.createElement("span")).id="j-link",e.innerHTML='[<a
href="https://sys.4chan.org/j/" title="Janitor &amp; Moderator Discussion">j</a>]',e.firstE
lementChild.addEventListener("mouseup",t.clearJCount,!1),n.parentNode.insertBefore(e,n),(e=
e.cloneNode(!0)).id="j-link-bot",e.firstElementChild.addEventListener("mouseup",t.clearJCou
nt,!1),o.parentNode.insertBefore(e,o),t.refreshJCount()},t.openBoardList=function(){var e;$
.id("boardList")||((e=document.createElement("div")).id="boardList",e.className="UIPanel",e
.setAttribute("data-cmd","boardlist-close"),e.innerHTML='<div class="extPanel reply"><div
class="panelHeader">Boards<span class="panelCtrl"><img alt="Close" title="Close"
class="pointer" data-cmd="boardlist-close"
src="'+Main.icons.cross+'"></a></span></div><input placeholder="Example: jp tg mu or all"
id="boardListBox" type="text" value="'+(localStorage.getItem("4chan-
boardlist")||"")+'"><div class="center"><button id="boardListSave" data-cmd="boardlist-save
">Save</button></div></td></tr></tfoot></table></div>',document.body.appendChild(e),e.addEv
entListener("click",this.onClick,!1))},t.saveBoardList=function(){var
e;(e=$.id("boardListBox"))&&localStorage.setItem("4chan-
boardlist",e.value)},t.closeBoardList=function(){var e;(e=$.id("boardList"))&&(e.removeEven
tListener("click",this.onClick,!1),document.body.removeChild(e))},t.setFileSpoiler=function
(e){var n,o,i,a;o=e.getAttribute("data-id"),i=e.getAttribute("data-flag"),o&&(a=$.id("f"+o)
,i||(i=$.cls("imgspoiler",a.parentNode)[0]?0:1),a&&!a.hasAttribute("data-
processing")&&((n=new XMLHttpRequest).open("GET","https://sys."+$L.d(Main.board)+"/"+Main.b
oard+"/admin.php?admin=spoiler&pid="+o+"&flag="+i,!0),n.withCredentials=!0,n.onload=t.onFil
eSpoilerLoad,n.onerror=t.onFileSpoilerError,n._pid=+o,n._flag=+i,Feedback.notify("Processin
g...",null),a.setAttribute("data-
processing","1"),n.send(null)))},t.onFileSpoilerLoad=function(){var e,t;Feedback.hideMessag
e(),"1"===this.responseText?(e=$.id("f"+this._pid))&&(e.removeAttribute("data-processing"),
(e=$.cls("fileThumb",e)[0])&&(this._flag?($.addClass(e,"imgspoiler"),(t=e.previousElementSi
bling).setAttribute("title",t.firstElementChild.textContent),Config.revealSpoilers||((e=$.t
ag("img",e)[0]).style.width=e.style.height="100px",e.src="//s.4cdn.org/image/spoiler-
"+Main.board+".png")):(Config.revealSpoilers||Parser.revealImageSpoiler(e),$.removeClass(e,
"imgspoiler")))):"-1"===this.responseText?Feedback.error("You are not logged
in"):Feedback.error("Couldn't set spoiler flag for post
No."+this._pid)},t.onFileSpoilerError=function(){var
e;(e=$.id("f"+this._pid))&&(e.removeAttribute("data-processing"),Feedback.error("Couldn't
update the spoiler flag for post No."+this.pid))},t.initCatalog=function(){window.Main={boa
rd:location.pathname.split(/\//)[1]},window.Main.addTooltip=function(e,t,n){var
o,i;return(o=document.createElement("div")).className="click-
me",n&&(o.id=n),o.innerHTML=t||"Change your settings",e.parentNode.appendChild(o),i=(e.offs
etWidth-o.offsetWidth+e.offsetLeft-
o.offsetLeft)/2,o.style.marginLeft=i+"px",o},(t.stylesheet=t.getCookie(window.style_group)
)?t.stylesheet=t.stylesheet.toLowerCase().replace(/ /g,"_"):t.stylesheet="nws_style"==style
_group?"yotsuba_new":"yotsuba_b_new",Main.stylesheet=t.stylesheet,t.initIconsCatalog(),t.ad
dCss(),document.addEventListener("click",t.onClick,!1),t.runCatalog()},t.runCatalog=functio
n(){var n;t.initNavLinks(),FC.hasMobileLayout||e.init(),n=$.id("threads"),$.on(n,"mouseover
",t.onThreadMouseOver)},t.init=function(){Config.boardList=!0,SettingsMenu.options.Janitor=
{boardList:['Janitor Boards [<a href="javascript:;" data-cmd="boardlist-
open">Select</a>]',"Select boards to enable janitor buttons on",!0],useIconButtons:["Use
icon buttons","Display old-style buttons instead of using drop-
down"],changeUpdateDelay:["Reduce auto-update delay","Reduce the thread updater
delay",!0],fixedAdminToolbox:["Pin Janitor Tools to the page","Janitor Tools will scroll
with you"],inlinePopups:["Inline ban request panel","Open ban request panel in browser
window, instead of a popup"],disableMngExt:["Disable janitor extension","Completely disable
the janitor extension (overrides any checked boxes)",!0]},Config.disableMngExt||(t.addCss()
,Config.useIconButtons&&t.initIcons(),QR.noCooldown=QR.noCaptcha=!0,document.addEventListen
er("click",t.onClick,!1),document.addEventListener("DOMContentLoaded",t.run,!1))},t.run=fun
ction(){var n,o,i,a;document.removeEventListener("DOMContentLoaded",t.run,!1),t.initNavLink
s(),Main.hasMobileLayout||e.init(),Config.revealSpoilers&&$.addClass(document.body,"reveal-
img-spoilers"),Config.threadUpdater&&Main.tid&&Config.changeUpdateDelay&&(ThreadUpdater.del
ayIdHidden=3,ThreadUpdater.delayRange=[5,10,15,20,30,60],ThreadUpdater.apiUrlFilter=t.apiUr
lFilter),n=localStorage.getItem("4chan-
boardlist")||"","j"==Main.board||"all"!=n&&-1==n.split(/[, ]+/).indexOf(Main.board)||(Confi
g.useIconButtons&&!Main.hasMobileLayout&&(Main.tid?(o=document.getElementById("t"+Main.tid)
.getElementsByClassName("postInfo"),t.postCount=o.length,t.postCount>t.chunkSize?(t.nextChu
nk=o[0],window.addEventListener("scroll",t.onScroll,!1),t.onScroll()):t.onParsingDone()):t.
onParsingDone(),document.addEventListener("4chanParsingDone",t.onParsingDone,!1)),document.
addEventListener("4chanPostMenuReady",t.onPostMenuReady,!1)),(i=$.id("boardSelectMobile"))&
&((a=document.createElement("option")).value="j",a.textContent="/j/ - Janitors &
Moderators",i.insertBefore(a,i.firstElementChild))},t.getCookie=function(e){var
t,n,o,i;for(i=e+"=",o=document.cookie.split(";"),t=0;n=o[t];++t){for(;"
"==n.charAt(0);)n=n.substring(1,n.length);if(0===n.indexOf(i))return
decodeURIComponent(n.substring(i.length,n.length))}return null},t.addCss=function(){var
e,t;t='#adminToolbox { max-width: 256px; display: block; position: absolute; padding:
3px;}#adminToolbox h4 { font-size: 12px; margin: 2px 0 0; padding: 0; font-weight:
normal;}#adminToolbox li { list-style: none;}#adminToolbox ul { padding: 0; margin: 2px
0 0 10px;}#atHeader { height: 17px; font-weight: bold; padding-bottom: 2px;}#atRefresh {
margin: -1px 0 0 3px;}.post-ip { margin-left: 5px;}#delete-prompt > div { text-align:
center;}#watchList li:first-child { margin-top: 3px; padding-top: 2px; border-top: 1px
solid rgba(0, 0, 0, 0.20);}.photon #atHeader { border-bottom: 1px solid #ccc;}.yotsuba_new
#atHeader { border-bottom: 1px solid #d9bfb7;}.yotsuba_b_new #atHeader { border-bottom:
1px solid #b7c5d9;}.tomorrow #atHeader { border-bottom: 1px solid #111;}#at-illegal {
color: red;}#at-msg-cnt { display: none;}.j-newposts { font-weight: bold
!important;}#j-link,#j-link-bot { margin-right: 3px; display: inline-block; margin-left:
3px;}#boardList input { width: 385px; margin: auto; display: block;}#boardListSave {
margin-top: 5px;}#banReqClose { float: right;}#banReq iframe { overflow: hidden;}#banReq
{ display: block; position: fixed; padding: 2px; font-size: 10pt; height:
250px;}#banReqHeader { text-align: center; margin-bottom: 1px; padding: 0; height:
18px; line-height: 18px;}#captchaFormPart { display: none;}.mobileExtControls { float:
right; font-size: 11px; margin-bottom: 3px;}.ws .mobileExtControls { color:
#34345C;}.nws .mobileExtControls { color: #0000EE;}.reply .mobileExtControls { margin-
right: 5px;}.mobileExtControls span { margin-left: 10px;}.mobileExtControls span:after {
content: "]";}.mobileExtControls span:before { content: "[";}.nws .mobileExtControls
span:after { color: #800000;}.nws .mobileExtControls span:before { color: #800000;}.ws
.mobileExtControls span:after { color: #000;}.ws .mobileExtControls span:before { color:
#000;}.m-dark .mobileExtControls,.m-dark .mobileExtControls span:after,.m-dark
.mobileExtControls span:before { color: #707070 !important;}.dd-admin { text-indent:
5px;}.dd-admin:before { color: #FF0000; content: "\u2022"; left: -3px; position:
absolute;}.extPanel { border: 1px solid rgba(0, 0, 0, 0.2);}.extPanel img.pointer { width:
18px; height: 18px }.drag { -moz-user-select: none !important; cursor: move
!important;}.reveal-img-spoilers .imgspoiler::before { content: " "; width:0.75em;
height:0.75em; border-radius: 0.5em; position: absolute; display: block; background:
red; margin-top: 1px; margin-left: 1px; pointer-events: none;}.reveal-img-
spoilers.is_catalog .imgspoiler::before { margin-top: 4px; margin-left: 12px;}.reveal-img-
spoilers .imgspoiler:hover::before { background: #fff; }',(e=document.createElement("style"
)).setAttribute("type","text/css"),e.textContent=t,document.head.appendChild(e)},/https?:\/
\/boards\.(?:4chan|4channel)\.org\/[a-z0-
9]+\/catalog($|#.*$)/.test(location.href)?t.initCatalog():t.init()}();
js/minify.rb
❯❱ problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request
Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect
to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.
Details: https://sg.run/vz6Y
21┆ resp = Net::HTTP.post_form(URI(api_url), {
22┆ output_format: 'json',
23┆ output_info: [ 'compiled_code', 'warnings', 'errors', 'statistics' ],
24┆ compilation_level: 'SIMPLE_OPTIMIZATIONS',
25┆ language: 'ECMASCRIPT5',
26┆ js_code: File.open(filename, 'r:UTF-8') { |f| f.read }
27┆ })
js/mod-unminified.js
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
108┆ cnt.innerHTML = html;
⋮┆----------------------------------------
139┆ el.innerHTML = '(ID: <span class="hand" title="Highlight posts by this ID">' + hash +
'</span>)';
⋮┆----------------------------------------
453┆ this.banReqCnt.innerHTML =
454┆ '<div id="banReqHeader" class="drag postblock">Ban No.' + id
455┆ + '<img alt="X" src="' + Main.icons.cross + '" id="banReqClose" '
456┆ + 'class="extButton" title="Close Window"></div>'
457┆ + '<iframe src="https://sys.' + $L.d(Main.board) + '/'
458┆ + Main.board + '/admin?mode=admin&admin=ban&id=' + id
459┆ + '&noheader=true" width="400" height="470" frameborder="0"></iframe>';
⋮┆----------------------------------------
602┆ this.threadOptsCnt.innerHTML =
603┆ '<div id="threadOptsHeader" class="drag postblock">Thread Options No.' + id
604┆ + '<img alt="X" src="' + Main.icons.cross + '" id="threadOptsClose" '
605┆ + 'class="extButton" title="Close Window"></div>'
606┆ + '<iframe src="https://sys.' + $L.d(Main.board) + '/'
607┆ + Main.board + '/admin?mode=admin&admin=opt&id=' + id
608┆ + '&noheader=true" width="400" height="175" frameborder="0"></iframe>';
⋮┆----------------------------------------
880┆ cnt.innerHTML = html;
⋮┆----------------------------------------
1273┆ cnt.innerHTML = html;
⋮┆----------------------------------------
1467┆ el.innerHTML = J.postFormHTML
1468┆ + '<input type="hidden" name="mode" value="regist">'
1469┆ + '<input type="hidden" name="resto" value="' + Main.tid + '">';
⋮┆----------------------------------------
1605┆ el.innerHTML = '\
1606┆ <div class="extPanel reply"><div class="panelHeader">Preview HTML Post\
1607┆ <span class="panelCtrl"><img alt="Close" title="Close" class="pointer" data-cmd="close-
html-preview" src="'
1608┆ + Main.icons.cross + '"></span></div>' + html + '</div>';
⋮┆----------------------------------------
1642┆ el.innerHTML = '<span class="threadIcon deleteIcon" data-cmd="open-delete-prompt" data-
id="'
1643┆ + id + '"></span><span class="threadIcon multiIcon" data-cmd="multi" data-id="'
1644┆ + id + '"></span><span class="threadIcon banIcon" data-cmd="ban" data-id="'
1645┆ + id + '"></span>';
⋮┆----------------------------------------
1685┆ el.innerHTML = message || 'Change your settings';
⋮┆----------------------------------------
1810┆ el.innerHTML = '[<a href="javascript:;" data-id="' + Main.tid + '" data-cmd="thread-
options">Thread Options</a>]';
js/mod.js
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
1┆ !function(){var e={isCatalog:!1,colours:{},posterids:{},nextChunkIndex:0,nextChunk:null,chu
nkSize:100,sameIDActive:!1,parserEventBound:!1,autoReloadCatInterval:null,autoReloadCatDela
y:3e4,samePostersMap:{},xhrs:{},reportsSubDomain:"reports",teamSubDomain:"team",flags:[]};e
.bin2hex=function(e){var t,n,a,o;for(a="",n=e.length,t=0;t<n;++t)a+=((o=e.charCodeAt(t))>>4
).toString(16),a+=(15&o).toString(16);return a},e.getFileMD5FromPid=function(t){var
n,a;return!!(n=$.id("f"+t))&&(!!(n=$.qs("img[data-
md5]",n))&&(a=window.atob(n.getAttribute("data-
md5")),e.bin2hex(a)))},e.onGetMD5Click=function(t){var n,a=t.getAttribute("data-
id");!1===(n=e.getFileMD5FromPid(a))?alert("Post or file not
found"):prompt("",n)},e.apiUrlFilter=function(e){return
e+"?"+Math.round(Date.now()/1e3/3)},e.openDeletePrompt=function(t){var n,a;n='<div
class="extPanel reply"><div class="panelHeader">Delete Post No.'+(t=t.getAttribute("data-
id"))+'<span class="panelCtrl"><img alt="Close" title="Close" class="pointer" data-
cmd="close-delete-prompt" src="'+Main.icons.cross+'"></a></span></div><span id="delete-
prompt-inner"><input type="button" value="Delete Post" tabindex="-1" data-cmd="delete-post"
data-id="'+t+'"> <input type="button" value="Delete Image Only" data-cmd="delete-image"
data-id="'+t+'">',$.id((e.isCatalog?"thread-":"t")+t)&&!window.thread_archived&&(n+='
<input type="button" value="Archive Thread" data-cmd="force-archive" data-
id="'+t+'">'),window.thread_archived||e.isCatalog||(n+='<br>[<input type="checkbox"
id="delete-all-by-ip"><label for="delete-all-by-ip">Delete all by IP?</label>]'),n+="</span
></div>",(a=document.createElement("div")).className="UIPanel",a.id="delete-prompt",a.inner
HTML=n,document.addEventListener("keydown",e.onKeyDown,!1),a.addEventListener("click",e.clo
seDeletePrompt,!1),document.body.appendChild(a),$.id("delete-prompt-
inner").firstElementChild.focus()},e.addPosterIds=function(e,t,n){var a,o,i,r,s,d;if(a=n?$.
id("pim"+e):$.id("pi"+e),!window.user_ids||!(i=$.cls("posteruid",a)[0])){if(i=$.el("span"),
o=$.cls("nameBlock",a)[0],(r=$.cls("name",o)[0]).classList.contains("capcode"))return;o.ins
ertBefore(i,r.nextSibling),n||o.insertBefore(document.createTextNode("
"),r.nextSibling)}i.innerHTML='(ID: <span class="hand" title="Highlight posts by this
ID">'+t+"</span>)",i.className="posteruid id_"+t,s=i.firstElementChild,IDColor.apply(s),i.a
ddEventListener("click",window.idClick,!1),window.currentHighlighted&&-
1!=i.className.indexOf("id_"+window.currentHighlighted)&&((d=i.parentNode.parentNode.parent
Node).className="highlight "+d.className)},e.onSamePostersLoaded=function(){var t,n,a,o,i;i
f((200==this.status||304==this.status)&&(t=JSON.parse(this.responseText))){i=Main.hasMobile
Layout,IDColor.enabled||(o=window.user_ids,window.user_ids=!0,IDColor.init(),window.user_id
s=o),e.sameIDActive||(e.sameIDActive=!0);for(a in t)e.samePostersMap[a]||(n=t[a],e.samePost
ersMap[a]=!0,e.addPosterIds(a,n,i))}},e.loadSamePosters=function(t){var n,a;e.parserEventBo
und||document.addEventListener("4chanParsingDone",e.onParsingDone,!1),n="https://sys."+$L.d
(Main.board)+"/"+Main.board+"/admin?admin=adminext&thread="+Main.tid,t&&(n+="&from="+t),(a=
new XMLHttpRequest).open("GET",n),a.withCredentials=!0,a.onload=e.onSamePostersLoaded,a.sen
d(null)},e.closeDeletePrompt=function(t){var n;t&&"delete-
prompt"!=t.target.id||(n=$.id("delete-prompt"))&&(document.removeEventListener("keydown",e.
onKeyDown,!1),n.removeEventListener("click",e.closeDeletePrompt,!1),document.body.removeChi
ld(n))},e.checkDeletedPosts=function(){var
e,t;Main.tid&&(e="//a.4cdn.org/"+Main.board+"/res/"+Main.tid+".json",(t=new XMLHttpRequest)
.open("GET",e),t.onload=function(){200!=this.status&&304!=this.status||ThreadUpdater.markDe
letedReplies(Parser.parseThreadJSON(this.responseText))},t.send(null))},e.get_random_light_
color=function(){for(var
e="ABCDE".split(""),t="#",n=0;n<3;n++)t+=e[Math.floor(Math.random()*e.length)];return
t},e.deletePost=function(t,n){var a,o,i,r,s,d,l,p,c,m;a=t.getAttribute("data-
id"),c=!e.isCatalog&&$.id("t"+a),i=new FormData,s="https://sys."+$L.d(Main.board)+"/"+Main.
board,window.thread_archived?d="arcdel":(d="usrdel",l=!e.isCatalog&&$.id("delete-all-by-ip"
).checked),l&&(d="admin.php",i.append("admin","delall"),i.append("id",a)),s+=l?"/admin":"/p
ost",n&&("Delete Image No.",i.append("onlyimgdel","on")),i.append(a,"delete"),i.append("mod
e",d),i.append("pwd","janitorise"),(p=$.id("delete-prompt-
inner")).textContent="Deleting...",(o=new
XMLHttpRequest).open("POST",s),o.withCredentials=!0,o.onload=function(){var o;if(t.src=Main
.icons.cross,200==this.status)if(!l&&-1!=this.responseText.indexOf("Updating")||l&&-
1!=this.responseText.indexOf("deleted")){if(e.isCatalog)(r=$.id("thread-
"+a))&&$.addClass(r,"disabled");else if(n)(r=$.id("f"+a)).innerHTML='<span
class="fileThumb"><img alt="File deleted." src="//s.4cdn.org/image/filedeleted'+(c?"":"-
res")+'.gif"></span>',l&&((o=document.createElement("span")).innerHTML='<br><br><strong
style="font-color: red;">(YOU HAVE DELETED ALL IMAGES BY THIS
IP)</strong>',(r=$.id("m"+a)).appendChild(o));else{if(a==Main.tid)return void(location.href
="//boards."+$L.d(Main.board)+"/"+Main.board+"/");l?((o=document.createElement("span")).inn
erHTML='<br><br><strong style="font-color: red;">(YOU HAVE DELETED ALL POSTS BY THIS IP)</s
trong>',(r=$.id("m"+a)).appendChild(o),e.checkDeletedPosts()):c?((r=c.parentNode).removeChi
ld(c.nextSibling),r.removeChild(c)):(r=$.id("pc"+a)).parentNode.removeChild(r)}e.closeDelet
ePrompt()}else(m=this.responseText.match(/"errmsg"[^>]*>(.*?)<\/span/))?p.textContent=m[1]:
p.textContent="Error: Something went wrong.";else p.textContent="Error: Wrong status while
deleting No."+a+" (Status: "+this.status+")."},o.onerror=function(){p.textContent="Error:
Error while deleting No."+a+" (Status:
"+this.status+")."},o.send(i)},e.forceArchive=function(t){var
n,a,o,i,r,s;n=t.getAttribute("data-id"),o=new FormData,i="https://sys."+$L.d(Main.board)+"/
"+Main.board+"/post",o.append("id",n),o.append("mode","forcearchive"),(r=$.id("delete-
prompt-inner")).textContent="Archiving...",(a=new
XMLHttpRequest).open("POST",i),a.withCredentials=!0,a.onload=function(){var a;t.src&&(t.src
=Main.icons.cross),200==this.status?-
1!=this.responseText.indexOf("Updating")?(e.isCatalog&&(a=$.id("thread-
"+n))&&$.addClass(a,"disabled"),e.closeDeletePrompt()):(s=this.responseText.match(/"errmsg"
[^>]*>(.*?)<\/span/))?r.textContent=s[1]:r.textContent="Error: Something went
wrong.":r.textContent="Error: Wrong status while archiving No."+n+" (Status:
"+this.status+")."},a.onerror=function(){r.textContent="Error: Error while archiving
No."+n+" (Status: "+this.status+")."},a.send(o)},e.openBanWindow=function(e){var
t;t=e.getAttribute("data-id"),window.open("https://sys."+$L.d(Main.board)+"/"+Main.board+"/
admin?mode=admin&admin=ban&id="+t,"_blank","scrollBars=yes,resizable=no,toolbar=no,menubar=
no,location=no,directories=no,width=400,height=470")},e.openBanFrame=function(t){var
n;this.banReqCnt&&this.closeBanFrame(),n=t.getAttribute("data-id"),this.banReqCnt=document.
createElement("div"),this.banReqCnt.id="banReq",this.banReqCnt.className="extPanel
reply",this.banReqCnt.setAttribute("data-trackpos","banReq-position"),Config["banReq-
position"]?this.banReqCnt.style.cssText=Config["banReq-position"]:(this.banReqCnt.style.rig
ht="0px",this.banReqCnt.style.top="50px"),this.banReqCnt.innerHTML='<div id="banReqHeader"
class="drag postblock">Ban No.'+n+'<img alt="X" src="'+Main.icons.cross+'" id="banReqClose"
class="extButton" title="Close Window"></div><iframe src="https://sys.'+$L.d(Main.board)+"/
"+Main.board+"/admin?mode=admin&admin=ban&id="+n+'&noheader=true" width="400" height="470"
frameborder="0"></iframe>',document.body.appendChild(this.banReqCnt),window.addEventListene
r("message",e.onMessage,!1),document.addEventListener("keydown",e.onKeyDown,!1),$.id("banRe
qClose").addEventListener("click",e.closeBanFrame,!1),Draggable.set($.id("banReqHeader"))},
e.closeBanFrame=function(){window.removeEventListener("message",e.onMessage,!1),document.re
moveEventListener("keydown",e.onKeyDown,!1),Draggable.unset($.id("banReqHeader")),$.id("ban
ReqClose").removeEventListener("click",e.closeBanFrame,!1),document.body.removeChild(e.banR
eqCnt),e.banReqCnt=null},e.processMessage=function(e){return e?{cmd:(e=e.split("-
"))[0],type:e[1],id:e.slice(2).join("-
")}:{}},e.onKeyDown=function(t){27!=t.keyCode||t.ctrlKey||t.altKey||t.shiftKey||t.metaKey||
(e.banReqCnt&&e.closeBanFrame(),e.threadOptsCnt&&e.closeThreadOptionsFrame(),$.id("delete-p
rompt")&&e.closeDeletePrompt())},e.onCatalogKeyDown=function(t){82==t.keyCode&&t.shiftKey&&
e.initCatAutoReload()},e.onMessage=function(t){var n;t.origin==="https://sys."+$L.d(Main.bo
ard)&&"ban"===(n=e.processMessage(t.data)).type&&("done"!==n.cmd&&"cancel"!==n.cmd||e.close
BanFrame())},e.initCatAutoReload=function(t){var n;if(n=sessionStorage.getItem("4chan-c-ar"
))t?(window.scrollTo(0,+n),e.toggleCatAutoReload(!0)):e.toggleCatAutoReload(!1);else{if(t)r
eturn;e.toggleCatAutoReload(!0)}},e.toggleCatAutoReload=function(t){t?(sessionStorage.setIt
em("4chan-c-ar",document.documentElement.scrollTop),e.autoReloadCatInterval=setInterval(e.a
utoRefreshWindow,e.autoReloadCatDelay),$.addClass($.id("refresh-btn"),"active-
btn")):(sessionStorage.removeItem("4chan-c-
ar"),clearInterval(e.autoReloadCatInterval),$.removeClass($.id("refresh-btn"),"active-
btn"))},e.autoRefreshWindow=function(){var e=$.id("ctrl");document.documentElement.scrollTo
p<=e.offsetTop+e.offsetHeight&&(sessionStorage.setItem("4chan-c-ar",document.documentElemen
t.scrollTop),location.href=location.href)},e.openThreadOptions=function(e){var
t=e.getAttribute("data-id");window.open("https://sys."+$L.d(Main.board)+"/"+Main.board+"/ad
min?mode=admin&admin=opt&id="+t,"_blank","scrollBars=yes,resizable=no,toolbar=no,menubar=no
,location=no,directories=no,width=400,height=290")},e.openThreadOptionsFrame=function(t){va
r n;this.threadOptsCnt&&this.closeThreadOptionsFrame(),n=t.getAttribute("data-id"),this.thr
eadOptsCnt=document.createElement("div"),this.threadOptsCnt.id="threadOpts",this.threadOpts
Cnt.className="extPanel reply",this.threadOptsCnt.setAttribute("data-trackpos","threadOpts-
position"),Config["threadOpts-
position"]?this.threadOptsCnt.style.cssText=Config["threadOpts-position"]:(this.threadOptsC
nt.style.right="0px",this.threadOptsCnt.style.top="50px"),this.threadOptsCnt.innerHTML='<di
v id="threadOptsHeader" class="drag postblock">Thread Options No.'+n+'<img alt="X"
src="'+Main.icons.cross+'" id="threadOptsClose" class="extButton" title="Close
Window"></div><iframe src="https://sys.'+$L.d(Main.board)+"/"+Main.board+"/admin?mode=admin
&admin=opt&id="+n+'&noheader=true" width="400" height="175" frameborder="0"></iframe>',docu
ment.body.appendChild(this.threadOptsCnt),window.addEventListener("message",e.onThreadOptsD
one,!1),document.addEventListener("keydown",e.onKeyDown,!1),$.id("threadOptsClose").addEven
tListener("click",e.closeThreadOptionsFrame,!1),Draggable.set($.id("threadOptsHeader"))},e.
closeThreadOptionsFrame=function(){window.removeEventListener("message",e.onThreadOptsDone,
!1),document.removeEventListener("keydown",e.onKeyDown,!1),Draggable.unset($.id("threadOpts
Header")),$.id("threadOptsClose").removeEventListener("click",e.closeThreadOptionsFrame,!1)
,document.body.removeChild(e.threadOptsCnt),e.threadOptsCnt=null},e.onThreadOptsDone=functi
on(t){e.threadOptsCnt&&t.origin==="https://sys."+$L.d(Main.board)&&"done-
threadopt"===t.data&&e.closeThreadOptionsFrame()},e.setFileSpoiler=function(t){var
n,a,o,i;a=t.getAttribute("data-id"),o=t.getAttribute("data-flag"),a&&(i=$.id("f"+a),o||(o=$
.cls("imgspoiler",i.parentNode)[0]?0:1),i&&!i.hasAttribute("data-processing")&&((n=new XMLH
ttpRequest).open("GET","https://sys."+$L.d(Main.board)+"/"+Main.board+"/admin.php?admin=spo
iler&pid="+a+"&flag="+o,!0),n.withCredentials=!0,n.onload=e.onFileSpoilerLoad,n.onerror=e.o
nFileSpoilerError,n._pid=+a,n._flag=+o,Feedback.notify("Processing...",null),i.setAttribute
("data-processing","1"),n.send(null)))},e.onFileSpoilerLoad=function(){var e,t;Feedback.hid
eMessage(),"1"===this.responseText?(e=$.id("f"+this._pid))&&(e.removeAttribute("data-proces
sing"),(e=$.cls("fileThumb",e)[0])&&(this._flag?($.addClass(e,"imgspoiler"),(t=e.previousEl
ementSibling).setAttribute("title",t.firstElementChild.textContent),Config.revealSpoilers||
((e=$.tag("img",e)[0]).style.width=e.style.height="100px",e.src="//s.4cdn.org/image/spoiler
-"+Main.board+".png")):(Config.revealSpoilers||Parser.revealImageSpoiler(e),$.removeClass(e
,"imgspoiler")))):"-1"===this.responseText?Feedback.error("You are not logged
in"):Feedback.error("Couldn't set spoiler flag for post
No."+this._pid)},e.onFileSpoilerError=function(){var
e;(e=$.id("f"+this._pid))&&(e.removeAttribute("data-processing"),Feedback.error("Couldn't
update the spoiler flag for post No."+this.pid))};var t={};t.exec=function(t){var n,a;UA.is
Opera&&"string"==typeof(a=document.getSelection())||(a=window.getSelection().toString()),a?
window.open("https://"+e.teamSubDomain+'.4chan.org/search#{"comment":"'+a.replace(/[\r\n]+/
g," ")+'"}'):(n=t.getAttribute("data-id"),window.open("https://team.4chan.org/search?action
=from_pid&board="+Main.board+"&pid="+n))},t.prompt=function(t,n){var a,o,i;a=$.id("pi"+n),o
=$.cls("postMenuBtn",a)[0],(i=document.createElement("a")).href="https://"+e.teamSubDomain+
'.4chan.org/search#{"ip":"'+t+'"}',i.setAttribute("target","_blank"),i.className="post-
ip",i.textContent=t,a.insertBefore(i,o)};var n={cacheTTL:6e4,autoRefreshDelay:12e4,autoRefr
eshTimeout:null};n.initVisibilityAPI=function(){this.hidden="hidden",this.visibilitychange=
"visibilitychange","undefined"==typeof document.hidden&&("mozHidden"in document?(this.hidde
n="mozHidden",this.visibilitychange="mozvisibilitychange"):"webkitHidden"in document?(this.
hidden="webkitHidden",this.visibilitychange="webkitvisibilitychange"):"msHidden"in document
&&(this.hidden="msHidden",this.visibilitychange="msvisibilitychange")),document.addEventLis
tener(this.visibilitychange,this.onVisibilityChange,!1)},e.initIconsCatalog=function(){var
e,t,n;if(Main.icons={up:"arrow_up.png",down:"arrow_down.png",right:"arrow_right.png",downlo
ad:"arrow_down2.png",refresh:"refresh.png",cross:"cross.png",gis:"gis.png",iqdb:"iqdb.png",
minus:"post_expand_minus.png",plus:"post_expand_plus.png",rotate:"post_expand_rotate.gif",q
uote:"quote.png",report:"report.png",notwatched:"watch_thread_off.png",watched:"watch_threa
d_on.png",help:"question.png"},t={yotsuba_new:"futaba/",futaba_new:"futaba/",yotsuba_b_new:
"burichan/",burichan_new:"burichan/",tomorrow:"tomorrow/",photon:"photon/"},n="//s.4cdn.org
/image/",window.devicePixelRatio>=2)for(e in Main.icons)Main.icons[e]=Main.icons[e].replace
(".","@2x.");n+="buttons/"+t[Main.stylesheet];for(e in
Main.icons)Main.icons[e]=n+Main.icons[e]},n.init=function(){var
t,a;n.initVisibilityAPI(),(t=document.createElement("div")).className="extPanel
reply",t.id="adminToolbox",t.setAttribute("data-trackpos","AT-position"),Config["AT-
position"]?t.style.cssText=Config["AT-position"]:(t.style.right="10px",t.style.top="380px")
,t.style.position=Config.fixedAdminToolbox?"fixed":"",a='<div class="drag"
id="atHeader">Moderator Tools<img alt="Refresh" title="Refresh"
src="'+Main.icons.refresh+'" id="atRefresh" data-cmd="at-refresh" class="pointer
right"></div><h4><a href="https://'+e.reportsSubDomain+'.4chan.org/"
target="_blank">Reports</a>: <span title="Total" id="at-total">?</span> (<span
title="Illegal" id="at-illegal">?</span>)</h4><h4><a
href="https://'+e.reportsSubDomain+'.4chan.org/?action=ban_requests" target="_blank">Ban
Requests</a>: <span id="at-banreqs">?</span> (<span title="Illegal" id="at-illegal-
br">?</span>)</h4><h4><a href="https://'+e.teamSubDomain+'.4chan.org/appeals"
target="_blank">Appeals</a>: <span id="at-appeals">?</span> (<span title="4chan Pass Users"
id="at-prio-appeals">?</span>)</h4><h4 id="at-msg-cnt"><a data-cmd="at-msg"
href="https://'+e.reportsSubDomain+'.4chan.org/?action=staffmessages"
target="_blank">Messages</a>: <span id="at-msg">?</span></h4>',Main.tid&&(a+='<hr><h4><a
href="javascript:void(0);" data-cmd="poster-id">Same Poster ID</a></h4>'),t.innerHTML=a,doc
ument.body.appendChild(t),n.refreshReportCount(),Draggable.set($.id("atHeader"))},n.onVisib
ilityChange=function(){var e;e=n,document[n.hidden]?(clearInterval(e.autoRefreshTimeout),e.
autoRefreshTimeout=null):(e.refreshReportCount(),e.autoRefreshTimeout=setInterval(e.refresh
ReportCount,e.autoRefreshDelay))},n.refreshReportCount=function(t){var
a,o,i;if(!0!==t&&(o=localStorage.getItem("4chan-cache-
rc"))&&(o=JSON.parse(o)).ts>Date.now()-n.cacheTTL)return $.id("at-
total").textContent=o.data[0],$.id("at-illegal").textContent=o.data[1],$.id("at-
banreqs").textContent=o.data[2],$.id("at-appeals").textContent=o.data[3],$.id("at-illegal-
br").textContent=o.data[4]||0,$.id("at-prio-appeals").textContent=o.data[5]||0,$.id("at-
msg-cnt").style.display=o.data[6]?"block":"",void($.id("at-
msg").textContent=o.data[6]||0);(a=new XMLHttpRequest).open("GET","https://"+e.reportsSubDo
main+".4chan.org/H429f6uIsUqU.php",!0),a.withCredentials=!0,a.onload=function(){var
e,t,n;if(200==this.status){try{t=JSON.parse(this.responseText)}catch(a){return void
console.log(a)}if("success"!==t.status)return void
console.log(t.message);n=t.data,i=n.msg||0,$.id("at-msg-
cnt").style.display=i?"block":"",$.id("at-msg").textContent=i,$.id("at-
total").textContent=n.total,$.id("at-illegal").textContent=n.illegal,$.id("at-
banreqs").textContent=n.banreqs,$.id("at-illegal-
br").textContent=n.illegal_banreqs,$.id("at-appeals").textContent=n.appeals,$.id("at-prio-a
ppeals").textContent=n.prio_appeals,e={ts:Date.now(),data:[n.total,n.illegal,n.banreqs,n.ap
peals,n.illegal_banreqs,n.prio_appeals,n.msg]},e=JSON.stringify(e),localStorage.setItem("4c
han-cache-rc",e),document.dispatchEvent(new CustomEvent("4chanATUpdated"))}else
this.onerror()},a.onerror=function(){console.log("Error while refreshing the report count
(Status: "+this.status+").")},a.onloadend=function(){$.id("atRefresh").src=Main.icons.refre
sh},$.id("atRefresh").src=Main.icons.rotate,a.send(null)},n.resetMsgCount=function(){var
e;$.id("at-msg").textContent=0,(e=localStorage.getItem("4chan-cache-
rc"))&&((e=JSON.parse(e)).data[6]=0,e=JSON.stringify(e),localStorage.setItem("4chan-cache-
rc",e))},e.onClick=function(a){var o,i;if((o=a.target)!=document&&(i=o.getAttribute("data-
cmd")))switch(i){case"at-refresh":n.refreshReportCount(!0);break;case"delete-
post":case"delete-image":e.deletePost(o,"delete-image"===i);break;case"force-
archive":e.forceArchive(o);break;case"open-delete-
prompt":e.openDeletePrompt(o);break;case"close-delete-
prompt":e.closeDeletePrompt();break;case"at-msg":n.resetMsgCount();break;case"toggle-file-
spoiler":e.setFileSpoiler(o);break;case"prompt-spoiler":confirm("Toggle
spoiler?")&&e.setFileSpoiler(o);break;case"thread-options":Config.inlinePopups?e.openThread
OptionsFrame(o):e.openThreadOptions(o);break;case"multi":a.preventDefault(),t.exec(o);break
;case"get-md5":e.onGetMD5Click(o);break;case"html-
toggle":e.onHTMLToggle(o);break;case"preview-
html":a.preventDefault(),e.onPreviewHTMLClick(o);break;case"close-html-
preview":e.closeHTMLPreview();break;case"poster-id":e.loadSamePosters();break;case"ban":Con
fig.inlinePopups?e.openBanFrame(o):e.openBanWindow(o)}},e.onScroll=function(){for(var t;e.n
extChunk.offsetTop<document.documentElement.clientHeight+window.scrollY;){if((t=e.nextChunk
Index+e.chunkSize)>=e.postCount)return e.parseRange(e.nextChunkIndex,e.postCount),window.re
moveEventListener("scroll",e.onScroll,!1),!1;e.parseRange(e.nextChunkIndex,t)}return!0},e.p
arseRange=function(t,n){var a,o,i;for(i=document.getElementById("t"+Main.tid).getElementsBy
ClassName("postInfo"),a=t;a<n&&(o=i[a]);++a)e.parsePost(o);e.nextChunkIndex=a,e.nextChunk=i
[a]},e.onParsingDone=function(t){var n,a,o,i,r;if(t?(a=t.detail.threadId,o=t.detail.offset,
i=t.detail.limit,r=document.getElementById("t"+a).getElementsByClassName("postInfo"),e.same
IDActive&&e.loadSamePosters(r[o].id.slice(2))):(o=0,i=(r=document.getElementsByClassName("p
ostInfo")).length),Config.useIconButtons)for(n=o;n<i;++n)e.parsePost(r[n])},e.onPostMenuRea
dy=function(e){var t,n,a,o,i;a=e.detail.postId,o=e.detail.node,window.thread_archived&&$.id
("f"+a)&&((t=document.createElement("li")).className="dd-
admin",(n=document.createElement("a")).href="#",n.setAttribute("data-cmd","get-
md5"),n.setAttribute("data-id",a),n.textContent="File MD5",t.appendChild(n),o.appendChild(t
)),window.spoilers&&(n=$.id("fT"+a))&&(i=$.cls("imgspoiler",n.parentNode)[0]?0:1,(t=documen
t.createElement("li")).className="dd-
admin",(n=document.createElement("a")).setAttribute("data-cmd","toggle-file-
spoiler"),n.setAttribute("data-id",a),n.setAttribute("data-
flag",i),n.textContent=(i?"Set":"Unset")+" Spoiler",t.appendChild(n),o.appendChild(t)),Conf
ig.useIconButtons&&!Main.hasMobileLayout||((t=document.createElement("li")).className="dd-
admin",(n=document.createElement("a")).setAttribute("data-cmd","open-delete-
prompt"),n.setAttribute("data-id",a),n.textContent="Delete",t.appendChild(n),o.appendChild(
t),window.thread_archived||((t=document.createElement("li")).className="dd-
admin",(n=document.createElement("a")).setAttribute("data-cmd","ban"),n.setAttribute("data-
id",a),n.textContent="Ban",t.appendChild(n),o.appendChild(t),(t=document.createElement("li"
)).className="dd-admin",(n=document.createElement("a")).setAttribute("data-
cmd","multi"),n.setAttribute("data-id",a),n.textContent="Search",t.appendChild(n),o.appendC
hild(t),e.detail.isOP&&((t=document.createElement("li")).className="dd-
admin",(n=document.createElement("a")).setAttribute("data-cmd","thread-
options"),n.setAttribute("data-id",a),n.textContent="Thread
options",t.appendChild(n),o.appendChild(t))))},e.parsePost=function(t){var n,a,o,i;a='<img
class="extButton" alt="X" data-cmd="open-delete-prompt" data-id="'+(n=t.id.slice(2))+'"
src="'+Main.icons.cross+'" title="Delete">',window.spoilers&&(el=$.id("fT"+n))&&(a+='<img
class="extButton" alt="S" data-cmd="prompt-spoiler" data-id="'+n+'"
src="'+e.icons.spoiler+'" title="Toggle Spoiler">'),window.thread_archived||(a+='<img
class="extButton" alt="M" data-cmd="multi" data-id="'+n+'" src="'+e.icons.multi+'"
title="Display posts by this IP"><img class="extButton" alt="B" data-cmd="ban" data-
id="'+n+'" src="'+e.icons.ban+'" title="Ban">',$.id("t"+n)&&(a+='<img class="extButton"
alt="&gt;" data-cmd="thread-options" data-id="'+n+'" src="'+e.icons.arrow_right+'"
title="Thread Options">')),(o=document.createElement("div")).className="extControls",o.inne
rHTML=a,i=t.getElementsByClassName("postMenuBtn")[0],t.insertBefore(o,i)},e.displayJCount=f
unction(e,t,n,a){var
o;$.addClass(e,"j-newposts"),$.addClass(t,"j-newposts"),e.setAttribute("data-
no",n),t.setAttribute("data-no",n),e.textContent=t.textContent="j +"+a,o=a+" new
post"+(a>1?"s":""),Main.addTooltip(e,o,"j-tooltip"),Main.addTooltip(t,o,"j-tooltip-
bot")},e.refreshJCount=function(){var t,n,a,o;n=$.id("j-link"),a=$.id("j-link-
bot"),n&&a&&(n=n.firstElementChild,a=a.firstElementChild,(t=localStorage.getItem("4chan-j-
count"))&&(t=JSON.parse(t)),!t||Date.now()-t.time>=1e4?((o=new XMLHttpRequest).open("GET","
https://sys.4chan.org/j/1mcQTXbjW5WO.php?&"+Date.now()),o.withCredentials=!0,o.onloadend=fu
nction(){var o,i,r;200==this.status||304==this.status?(o=JSON.parse(this.responseText),t&&"
j"!=Main.board?o.no>t.no&&(r=o.no-
t.no,e.displayJCount(n,a,o.no,r),i={time:Date.now(),no:t.no,delta:r}):i={time:Date.now(),no
:o.no},i&&localStorage.setItem("4chan-j-count",JSON.stringify(i))):console.log("Error:
Could not load /j/ post count (Status: "+this.status+").")},o.send(null)):t.delta&&e.displa
yJCount(n,a,t.no,t.delta))},e.clearJCount=function(){var
e,t,n,a;n=$.id("j-tooltip"),a=$.id("j-tooltip-bot"),n&&(t=this.getAttribute("data-
no"),e={time:Date.now(),no:t},localStorage.setItem("4chan-j-count",JSON.stringify(e)),n.par
entNode.removeChild(n),a.parentNode.removeChild(a),setTimeout(function(){var e=$.cls("j-
newposts");e[0]&&(e[0].textContent="j",$.removeClass(e[0],"j-
newposts"),e[0].textContent="j",$.removeClass(e[0],"j-
newposts"))},10))},e.hasFlag=function(e){return-
1!=this.flags.indexOf(e)},e.icons={multi:"multi.png",ban:"ban.png",arrow_right:"arrow_right
.png",spoiler:"s.png"},e.initIcons=function(){var t,n;if(n="//s.4cdn.org/image/buttons/"+{y
otsuba_new:"futaba/",futaba_new:"futaba/",yotsuba_b_new:"burichan/",burichan_new:"burichan/
",tomorrow:"tomorrow/",photon:"photon/"}[Main.stylesheet],window.devicePixelRatio>=2)for(t
in e.icons)e.icons[t]=e.icons[t].replace(".","@2x.");for(t in
e.icons)e.icons[t]=n+e.icons[t]},e.initNavLinks=function(){var t,n,a,o,i,r;i=$.id("navtopri
ght"),r=$.id("navbotright"),(t=document.createElement("span")).id="j-link",t.innerHTML='[<a
href="https://sys.4chan.org/j/" title="Janitor &amp; Moderator Discussion">j</a>]',t.firstE
lementChild.addEventListener("mouseup",e.clearJCount,!1),i.parentNode.insertBefore(t,i),(t=
t.cloneNode(!0)).id="j-link-bot",t.firstElementChild.addEventListener("mouseup",e.clearJCou
nt,!1),r.parentNode.insertBefore(t,r),e.refreshJCount(),n=i.lastElementChild.previousSiblin
g,(a=document.createDocumentFragment()).appendChild(document.createTextNode("] [")),(t=docu
ment.createElement("a")).textContent="Team",t.href="https://"+e.teamSubDomain+".4chan.org/"
,t.setAttribute("target","_blank"),a.appendChild(t),a.appendChild(document.createTextNode("
] [")),o=a.cloneNode(!0),i.replaceChild(a,n),n=r.lastElementChild.previousSibling,r.replace
Child(o,n),Main.tid&&Main.hasMobileLayout&&((t=document.createElement("span")).className="m
obileib button redButton",t.innerHTML='<label data-cmd="poster-id">Same Poster
ID</label>',(i=$.cls("navLinks")[0])&&i.appendChild(t))},e.initPostForm=function(){var t,n,
a,o,i;!(t=$.id("postForm"))&&Main.tid&&(o=$.cls("closed")[0])&&((n=document.createElement("
form")).name="post",n.method="POST",n.enctype="multipart/form-data",n.action="https://sys."
+$L.d(Main.board)+"/"+Main.board+"/post",n.innerHTML=e.postFormHTML+'<input type="hidden"
name="mode" value="regist"><input type="hidden" name="resto" value="'+Main.tid+'">',o.paren
tNode.insertBefore(n,o),t=n.firstElementChild,QR.enabled=!0),t&&("hidden"==(n=document.form
s.post.name).type&&e.hasFlag("forcedanonname")&&((a=document.createElement("tr")).setAttrib
ute("data-type","Name"),a.innerHTML='<td>Name</td><td><input name="name" type="text"></td>'
,(i=Main.getCookie("4chan_name"))&&(a.lastChild.firstChild.value=i),(o=$.id("postForm").fir
stElementChild).insertBefore(a,o.firstElementChild),n.parentNode.removeChild(n)),e.hasFlag(
"html")&&((n=document.createElement("tr")).innerHTML='<tr><td style="height:
20px;">Extra</td><td>[<label><input type="checkbox" data-cmd="html-toggle" name="html"
value="1">HTML</label>] <span class="html-otp">[<label data-tip="2FA One-Time
Password">OTP</label> <input type="text" autocomplete="off" name="otp" maxlength="6">] <a
href="#" class="preview-html-btn" data-cmd="preview-html">Preview</a></span></td></tr>',(t=
t.firstElementChild).insertBefore(n,t.lastElementChild)))},e.onHTMLToggle=function(e){var
t=$.cls("html-otp",e.parentNode.parentNode)[0];t&&(t.style.display=e.checked?"inline":"")},
e.onPreviewHTMLClick=function(t){var n,a,o;e.xhrs.html||""!==(a=document.forms.qrPost?docum
ent.forms.qrPost:document.forms.post).com.value&&((n=new
FormData).append("com",a.com.value),(o=new XMLHttpRequest).open("post",a.action+"?mode=prev
iew_html",!0),o.withCredentials=!0,o.onload=e.onHTMLPReviewLoaded,o.onerror=e.onHTMLPReview
Error,e.xhrs.html=o,$.addClass(t,"disabled"),o.send(n),Feedback.notify("Processing...",null
))},e.resetHTMLPreviewBtn=function(){var e=$.cls("preview-html-btn");$.removeClass(e[0],"di
sabled"),e[1]&&$.removeClass(e[1],"disabled")},e.onHTMLPReviewLoaded=function(){var t;e.xhr
s.html=null,Feedback.hideMessage(),e.resetHTMLPreviewBtn();try{"error"==(t=JSON.parse(this.
responseText)).status&&Feedback.error(t.message)}catch(n){Feedback.error("Something went wr
ong.")}e.buildHTMLPreview(t.data)},e.onHTMLPReviewError=function(){e.xhrs.html=null,Feedbac
k.hideMessage(),e.resetHTMLPreviewBtn(),console.log(this)},e.closeHTMLPreview=function(){va
r t;(t=$.id("html-preview-cnt"))&&t.parentNode.removeChild(t),e.resetHTMLPreviewBtn()},e.bu
ildHTMLPreview=function(t){var
n;e.closeHTMLPreview(),(n=document.createElement("div")).id="html-preview-
cnt",n.setAttribute("data-cmd","close-html-preview"),n.innerHTML='<div class="extPanel
reply"><div class="panelHeader">Preview HTML Post<span class="panelCtrl"><img alt="Close"
title="Close" class="pointer" data-cmd="close-html-preview" src="'+Main.icons.cross+'"></sp
an></div>'+t+"</div>",document.body.appendChild(n)},e.onThreadMouseOver=function(t){var n=t
.target;$.hasClass(n,"thumb")&&(e.hasCatalogControls&&e.hideCatalogControls(),$.hasClass(n.
parentNode.parentNode,"disabled")||e.showCatalogControls(n))},e.showCatalogControls=functio
n(t){var n,a,o;a=t.getAttribute("data-id"),(n=document.createElement("div")).id="cat-
ctrl",n.className=e.stylesheet,n.innerHTML='<span class="threadIcon deleteIcon" data-
cmd="open-delete-prompt" data-id="'+a+'"></span><span class="threadIcon multiIcon" data-
cmd="multi" data-id="'+a+'"></span><span class="threadIcon banIcon" data-cmd="ban" data-id=
"'+a+'"></span>',(o=$.cls("threadIcons",t.parentNode.parentNode)[0])?o.insertBefore(n,o.fir
stElementChild):((o=document.createElement("div")).className="threadIcons",o.appendChild(n)
,t.parentNode.parentNode.insertBefore(o,t.parentNode.nextElementSibling)),e.hasCatalogContr
ols=!0},e.hideCatalogControls=function(){var t=$.id("cat-ctrl");t&&t.parentNode.removeChild
(t),e.hasCatalogControls=!1},e.initCatalog=function(){window.Main={board:location.pathname.
split(/\//)[1]},Main.addTooltip=function(e,t,n){var
a,o;return(a=document.createElement("div")).className="click-
me",n&&(a.id=n),a.innerHTML=t||"Change your settings",e.parentNode.appendChild(a),o=(e.offs
etWidth-a.offsetWidth+e.offsetLeft-
a.offsetLeft)/2,a.style.marginLeft=o+"px",a},(e.stylesheet=e.getCookie(window.style_group)
)?e.stylesheet=e.stylesheet.toLowerCase().replace(/ /g,"_"):e.stylesheet="nws_style"==style
_group?"yotsuba_new":"yotsuba_b_new",Main.stylesheet=e.stylesheet,e.initIconsCatalog(),e.ad
dCss(),document.addEventListener("click",e.onClick,!1),e.runCatalog()},e.runCatalog=functio
n(){var t;e.initNavLinks(),FC.hasMobileLayout||n.init(),t=$.id("threads"),e.initCatAutoRelo
ad(!0),document.addEventListener("keydown",e.onCatalogKeyDown,!1),$.on(t,"mouseover",e.onTh
readMouseOver),window.text_only&&document.addEventListener("4chanPostMenuReady",e.onPostMen
uReady,!1)},e.init=function(){var t;SettingsMenu.options.Moderator={useIconButtons:["Use
icon buttons","Display old-style buttons instead of using drop-
down"],changeUpdateDelay:["Reduce auto-update delay","Reduce the thread updater
delay",!0],fixedAdminToolbox:["Pin Moderator Tools to the page","Moderator Tools will
scroll with you"],inlinePopups:["Inline admin panels","Open admin panels in browser window,
instead of a popup"],disableMngExt:["Disable moderator extension","Completely disable the
moderator extension (overrides any checked boxes)",!0]},Config.disableMngExt||((t=Main.getC
ookie("4chan_aflags"))&&(e.flags=t.split(",")),e.addCss(),Config.useIconButtons&&e.initIcon
s(),QR.noCooldown=QR.noCaptcha=!0,document.addEventListener("click",e.onClick,!1),document.
addEventListener("DOMContentLoaded",e.run,!1))},e.run=function(){var t,a,o;document.removeE
ventListener("DOMContentLoaded",e.run,!1),e.initNavLinks(),e.initPostForm(),Main.hasMobileL
ayout||n.init(),Config.revealSpoilers&&$.addClass(document.body,"reveal-img-spoilers"),Conf
ig.threadUpdater&&Main.tid&&Config.changeUpdateDelay&&(ThreadUpdater.delayIdHidden=3,Thread
Updater.delayRange=[5,10,15,20,30,60],ThreadUpdater.apiUrlFilter=e.apiUrlFilter),Config.use
IconButtons&&!Main.hasMobileLayout&&(Main.tid?(t=document.getElementById("t"+Main.tid).getE
lementsByClassName("postInfo"),e.postCount=t.length,e.postCount>e.chunkSize?(e.nextChunk=t[
0],window.addEventListener("scroll",e.onScroll,!1),e.onScroll()):e.onParsingDone(),o=$.cls(
"navLinksBot")[0],(a=document.createElement("span")).id="threadOptsButtom",a.innerHTML='[<a
href="javascript:;" data-id="'+Main.tid+'" data-cmd="thread-options">Thread Options</a>]',o
.appendChild(a)):e.onParsingDone(),document.addEventListener("4chanParsingDone",e.onParsing
Done,!1),e.parserEventBound=!0),document.addEventListener("4chanPostMenuReady",e.onPostMenu
Ready,!1),(o=$.id("boardSelectMobile"))&&((a=document.createElement("option")).value="j",a.
textContent="/j/ - Janitors &
Moderators",o.insertBefore(a,o.firstElementChild))},e.getCookie=function(e){var
t,n,a,o;for(o=e+"=",a=document.cookie.split(";"),t=0;n=a[t];++t){for(;"
"==n.charAt(0);)n=n.substring(1,n.length)
js/tcaptcha.js
❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
that can lead to XSS vulnerabilities
Details: https://sg.run/LwA9
552┆ TCaptcha.msgNode.innerHTML = `<div>${txt}</div>`;
json-test.php
❯❯❱ php.lang.security.md5-loose-equality.md5-loose-equality
Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling
issues
Details: https://sg.run/Do4G
380┆ if( $var['filedeleted'] == 1 || !$var['ext'] ) {
⋮┆----------------------------------------
500┆ if ($var['capcode'] == 'none') {
⋮┆----------------------------------------
521┆ if( ( $FORCED_ANON || $META_BOARD ) && ( $var['capcode'] != 'admin' && $var['capcode'] !=
'admin_hl' ) ) {
⋮┆----------------------------------------
521┆ if( ( $FORCED_ANON || $META_BOARD ) && ( $var['capcode'] != 'admin' && $var['capcode'] !=
'admin_hl' ) ) {
⋮┆----------------------------------------
526┆ if( $var['capcode'] == 'none' ) unset( $var['capcode'] );
⋮┆----------------------------------------
530┆ if( $var['com'] == '' ) unset( $var['com'] );
⋮┆----------------------------------------
532┆ if( $var['sub'] == '' ) unset( $var['sub'] );
json.php
❯❯❱ php.lang.security.md5-loose-equality.md5-loose-equality
Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling
issues
Details: https://sg.run/Do4G
380┆ if( $var['filedeleted'] == 1 || !$var['ext'] ) {
⋮┆----------------------------------------
494┆ if ($var['capcode'] == 'none') {
⋮┆----------------------------------------
515┆ if( ( $FORCED_ANON || $META_BOARD ) && ( $var['capcode'] != 'admin' && $var['capcode'] !=
'admin_hl' ) ) {
⋮┆----------------------------------------
515┆ if( ( $FORCED_ANON || $META_BOARD ) && ( $var['capcode'] != 'admin' && $var['capcode'] !=
'admin_hl' ) ) {
⋮┆----------------------------------------
520┆ if( $var['capcode'] == 'none' ) unset( $var['capcode'] );
⋮┆----------------------------------------
524┆ if( $var['com'] == '' ) unset( $var['com'] );
⋮┆----------------------------------------
526┆ if( $var['sub'] == '' ) unset( $var['sub'] );
lib/GoogleAuthenticator.php
❯❯❱ php.lang.security.md5-loose-equality.md5-loose-equality
Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling
issues
Details: https://sg.run/Do4G
146┆ $binaryString .= ( ($y = chr(base_convert($eightBits[$z], 2, 10))) || ord($y) == 48 ) ?
$y:"";
lib/admin-test.php
❯❯❱ php.lang.security.exec-use.exec-use
Executing non-constant commands. This can lead to command injection.
Details: https://sg.run/5Q1j
219┆ exec( $cmd );
⋮┆----------------------------------------
228┆ exec( $cmd );
lib/admin.php
❯❯❱ php.lang.security.exec-use.exec-use
Executing non-constant commands. This can lead to command injection.
Details: https://sg.run/5Q1j
210┆ exec( $cmd );
⋮┆----------------------------------------
219┆ exec( $cmd );
lib/auth-test.php
❯❯❱ php.lang.security.mcrypt-use.mcrypt-use
Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using
Sodium or OpenSSL.
Details: https://sg.run/BkZR
56┆ $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
⋮┆----------------------------------------
57┆ $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
⋮┆----------------------------------------
59┆ $encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_CBC, $iv);
⋮┆----------------------------------------
75┆ $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
⋮┆----------------------------------------
80┆ $data = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_CBC, $iv_dec);
lib/auth.php
❯❯❱ php.lang.security.mcrypt-use.mcrypt-use
Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using
Sodium or OpenSSL.
Details: https://sg.run/BkZR
56┆ $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
⋮┆----------------------------------------
57┆ $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
⋮┆----------------------------------------
59┆ $encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_CBC, $iv);
⋮┆----------------------------------------
75┆ $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
⋮┆----------------------------------------
80┆ $data = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_CBC, $iv_dec);
lib/htmlpurifier/HTMLPurifier.standalone.php
❯❱ php.lang.security.unserialize-use.unserialize-use
Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution.
Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).
Details: https://sg.run/b24E
2699┆ $r = unserialize($contents);
⋮┆----------------------------------------
4380┆ $this->table = unserialize(file_get_contents($file));
⋮┆----------------------------------------
15136┆ return unserialize(file_get_contents($file));
❯❱ php.lang.security.unlink-use.unlink-use
Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor
could use this to modify or access files they have no right to.
Details: https://sg.run/rYeR
15149┆ return unlink($file);
⋮┆----------------------------------------
15170┆ unlink($dir . '/' . $filename);
⋮┆----------------------------------------
15194┆ unlink($dir . '/' . $filename);
⋮┆----------------------------------------
21393┆ unlink($file);
⋮┆----------------------------------------
21398┆ unlink($file);
❯❯❱ php.lang.security.eval-use.eval-use
Evaluating non-constant commands. This can lead to command injection.
Details: https://sg.run/J9AP
21864┆ $result = eval("\$var = $expr;");
lib/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/InterchangeBuilder.php
❯❯❱ php.lang.security.eval-use.eval-use
Evaluating non-constant commands. This can lead to command injection.
Details: https://sg.run/J9AP
182┆ return eval('return array(' . $contents . ');');
lib/postfilter-test.php
❯❯❱ generic.secrets.security.detected-generic-secret.detected-generic-secret
Generic Secret detected
Details: https://sg.run/l2o5
1324┆ $hmac_secret = 'd8d9616bce7b0a8fc83b422a7001b0492e17b4c16debeb43b77cf0060d9bdae3';
lib/postfilter.php
❯❯❱ generic.secrets.security.detected-generic-secret.detected-generic-secret
Generic Secret detected
Details: https://sg.run/l2o5
1274┆ $hmac_secret = 'd8d9616bce7b0a8fc83b422a7001b0492e17b4c16debeb43b77cf0060d9bdae3';
lib/userpwd-test.php
❯❯❱ generic.secrets.security.detected-generic-secret.detected-generic-secret
Generic Secret detected
Details: https://sg.run/l2o5
5┆ const HMAC_SECRET = '1e1e4476a89b28307dd39a56df4223bad7fea2045283a65ac3092a7adbf7f546';
lib/userpwd.php
❯❯❱ generic.secrets.security.detected-generic-secret.detected-generic-secret
Generic Secret detected
Details: https://sg.run/l2o5
5┆ const HMAC_SECRET = '1e1e4476a89b28307dd39a56df4223bad7fea2045283a65ac3092a7adbf7f546';
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment