yeah it did
RE: Test: Fetch to chess.com JSON (Broken)
Sort:
Mar 9, 2026
0
#3
I was able to remove those comments. Please don’t post potentially breaking content outside of a testing club.
Mar 9, 2026
0
#4
TACIXAT đã viết:
Ok, so I think my comment broke this page. I questioned whether this functionality meant the site was susceptible to a certain web vulnerability. My best guess is those words are triggering a web application firewall (WAF) and preventing the content from loading. Sorry to break the post, it was quite cool!
It doesn't affect proxies or firewalls because it only sends queries to the server and receives data back via the HTTP.
And this is the public API
Mar 10, 2026
0
#5
Several years ago I tried to make a piece of text in a post blink on/off and while there used to be a <blink> tag in the earliest versions of HTML, it was removed in versions 3 or 4.
The only alternative I could find in HTML5 was the animation feature in CSS. It was a little over-complicated for my needs but I put it all together and got it working nicely in a test page but when I tried pasting into a forum topic the editor stripped all the CSS for it - no blinking text!
If, many years ago, the site posting editor refused to pass perfectly safe CSS, why on earth would it allow Javascript of any kind today?
I've assumed for ages that JS just won't get past the editor.
Mar 12, 2026
0
#6
CIXAT đã viết:
Ok, so I think my comment broke this page. I questioned whether this functionality meant the site was susceptible to a certain web vulnerability. My best guess is those words are triggering a web application firewall (WAF) and preventing the content from loading. Sorry to break the post, it was quite cool!
It doesn't affect proxies or firewalls because it only sends queries to the server and receives data back via the HTTP.
And this is the public API
Mar 12, 2026
0
#7
Be that as it may, the site takes a lot of care to protect itself from any kind of malicious code.
Mar 13, 2026
0
#8
Be that as it may, the site takes a lot of care to protect itself from any kind of malicious code.
Mar 13, 2026
0
#9
Can anyone suggest why any kind of web firewall would block any styling in an HTML document? I understand how JS can pose a risk but how can any aspect of CSS threaten a site?
I've never understood this and it's never been explained.
Mar 13, 2026
0
#10
Can anyone suggest why any kind of web firewall would block any styling in an HTML document? I understand how JS can pose a risk but how can any aspect of CSS threaten a site?
I've never understood this and it's never been explained.
Mar 13, 2026
0
#11
stephen_33 wrote:
Can anyone suggest why any kind of web firewall would block any styling in an HTML document? I understand how JS can pose a risk but how can any aspect of CSS threaten a site?
I've never understood this and it's never been explained.
There are CSS based keyloggers, I won't paste it here for fear of breaking another discussion 
If you search that there is a Github repo with an example of how it works at the bottom of the README. Additionally, you could have a browser bug (search: CSS CVE), like a use after free that could lead to (native) remote code execution. I don't think a WAF will catch this though, because it will be in some arbitrary usage and not a known risky usage.
Mar 13, 2026
0
#12
"CSS based keyloggers" - wasn't aware of that and I've done some reading on GitHub.
Interesting, thanks.
Mar 14, 2026
0
#13
"CSS based keyloggers" - wasn't aware of that and I've done some reading on GitHub.
Interesting, thanks.
Mar 14, 2026
0
#14
stephen_33 wrote:
Can anyone suggest why any kind of web firewall would block any styling in an HTML document? I understand how JS can pose a risk but how can any aspect of CSS threaten a site?
I've never understood this and it's never been explained.
There are CSS based keyloggers, I won't paste it here for fear of breaking another discussion 
If you search that there is a Github repo with an example of how it works at the bottom of the README. Additionally, you could have a browser bug (search: CSS CVE), like a use after free that could lead to (native) remote code execution. I don't think a WAF will catch this though, because it will be in some arbitrary usage and not a known risky usage.
Ok, so I think my comment broke this page. I questioned whether this functionality meant the site was susceptible to a certain web vulnerability. My best guess is those words are triggering a web application firewall (WAF) and preventing the content from loading. Sorry to break the post, it was quite cool!