This is an OPML version of the HN Popularity Contest results for 2025, for importing into RSS feed readers.
Plug: if you want to find content related to your interests from thousands of obscure blogs and noisy sources like HN Newest, check out Scour. It's a free, personalized content feed I work on where you define your interests in your own words and it ranks content based on how closely related it is to those topics.
| POST / HTTP/1.1 | |
| Host: localhost | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 | |
| Next-Action: x | |
| Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad | |
| Content-Length: 459 | |
| ------WebKitFormBoundaryx8jO2oVc6SWP3Sad | |
| Content-Disposition: form-data; name="0" |
⚠️ No Longer Working (January 2026): This configuration was working when originally created, but is now broken due to Codex deprecating the Chat Completions API (wire_api = "chat") in favor of OpenAI's Responses API. Since DeepSeek only supports Chat Completions, this integration no longer works reliably. Tool calls fail with message format errors.
wire_api = "chat"wire_api = "chat", and the code path has bugs that won't be fixedMost application security practitioners are familiar with Unicode XSS, which typically arises from the Unicode character fullwidth-less-than-sign. It’s not a common vulnerability but does occasionally appear in applications that otherwise have good XSS protection. In this blog I describe another variant of Unicode XSS that I have identified, using combining characters. I’ve not observed this in the wild, so it’s primarily of theoretical concern. But the scenario is not entirely implausible and I’ve not otherwise seen this technique discussed, so I hope this is useful.
Lab: https://4t64ubva.xssy.uk/
A quick investigation of the lab shows that it is echoing the name parameter, and performing HTML escaping:
In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code.
Promise[@@species]In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed with @@species accessor property allowing attackers to escape the sandbox and run arbitrary code.
Learn how to send emails through Gmail SMTP with Cloudflare Email Routing in this comprehensive guide.
To proceed with this method, ensure that you have enabled two-factor authentication for your Google account. If you haven't done so already, you can follow the link to set it up → Enable 2FA in your Google account.
There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside handleException() which can be used to escape the sandbox and run arbitrary code in host context.
The challenge was to achieve RCE with this file:
<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).
I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.
this is a rough draft and may be updated with more examples
GitHub was kind enough to grant me swift access to the Copilot test phase despite me @'ing them several hundred times about ICE. I would like to examine it not in terms of productivity, but security. How risky is it to allow an AI to write some or all of your code?
Ultimately, a human being must take responsibility for every line of code that is committed. AI should not be used for "responsibility washing." However, Copilot is a tool, and workers need their tools to be reliable. A carpenter doesn't have to