Freddy

P.S. this account is write-only. I will only post announcements and blog post links. If you want to reach me, try mastodon or email m

this is your regular reminder that centralized, single-ownership social media is doomed

Sponsor @jub0bs on GitHub Sponsors infosec enthusiast • Go developer & trainer • minimalist • chaotic good • trying to make sense of the Web • he/him

⚡ I've been contributing micro-optimisations to Go's standard library in my spare time: github.com/golang/go/co...

💸 I don't intend to stop any time soon, but if you benefit from my work and would like to support it, consider sponsoring me on GitHub: github.com/sponsors/jub...

#golang #OpenSource

The Open Source Cryptography Workshop is returning for 2026, before Real World Crypto in Taipei. We are calling for session proposals, both presentations and hands-on workshops, on topics of interest to those who work on and with open source crypto. oscwork.shop/2026 #oscw #rwc #oscw2026 #rwc2026

decoder hosted the session.

Oh noes. Well see you next time, I suppose? On the upside, the talk was recorded. :)

[39c3] Lightning Talks - Tag 2 - **Lightning Talks Introduction** - **Chaos auf der Schiene: Die Wahrheit hinter den Verspätungen** — *poschi* - **EventFahrplan - The 39C3 Fahrplan App for Android** — *tbsprs* - **Quantum computing...

Hey #39c3. Come see my lightning talk on a safe variant for `.innerHTML ` that is built right into the browser. Tomorrow (day 2), at approximately 12:25 - events.ccc.de/congress/202...

Hey #39c3, chat me up if you want to talk about web security, browser security. I will be one of the tall dudes with a Firefox hoodie :)

lol, bsky wanting everyone's my birthday.

Follow me on mastodon, you cowards.

New blog post: Why the Sanitizer API is just `setHTML()` - https://frederikbraun.de/why-sethtml.html

New blog post. Something off-topic to feed the search engine. A bug in Lego Star Wars: The Complete Saga (2007). https://frederikbraun.de/lego-star-wars-complete-saga-c3po-bug.html

Handling of `<a href="data:...">` · Issue #352 · WICG/sanitizer-api We allow anchors in the default configuration and only restrict javascript: URLs. data: URLs (especially inside an iframe) might look like XSS: https://x.com/KwanAleister/status/1985542748930523233...

We had a first good outcome already (via Twitter). While `data` URLs are not what I would consider an XSS in the page, I still see it as a confusion that we should address head on. We have an issue filed in github.com/WICG/sanitiz... :)

(Terms and conditions apply. Bounty payouts are at the discretion of the bug bounty committee etc. etc. But yes. Bugs in the sanitizer are eligible.)

I don't know who needs a kitty headbutt right now, but here's one for you

YES! :)

Firefox nightly introduces the setHTML() method. Which is like a native DOMPurify. You can easily test it here:
portswigger-labs.net/mxss/

Set HTMLSanitizer ✅
Auto update ✅

I'm trying to break it, I encourage you to break it too

Hej!

We are thrilled to announce Hack.lu CTF 2025 starts on Friday, October 17.

Top teams can win prizes from our sponsors: OffensiveCon, Zellic, PortSwigger, Binary Ninja, and HackTheBox.

All information on flu.xxx

Eine riesige Verbesserung der Lebensqualität. Vielen Dank für Ihren Einsatz! An wen schreibe ich einen höflichen Brief, dass die Ladebereiche vielleicht einen abgesenkten Bordstein für einfacheres Entladen bekommen könnten? InfraVelo oder Bezirksamt? Oder reicht hier? ;-)

Text exceeds alt capacity.

I'm in a phenomenal talk on gender inequality in cybersecurity this morrning and this is such a great cheat sheet for intersectional fair employment.

firefox container tabs are lowkey goated when $11/year VPS in dublin w/ socks5 over ssh is the vibe

Wait, container tabs support individual proxy settings?

We just opened the Call-for-Papers for the German OWASP Day 2025. The event will be held November 25th-26th in Düsseldorf.

god.owasp.de/2025/cfp.html

We're looking for all sorts of presentations about web security and beyond for an audience of builders, breakers and defenders.

cut my heap into pieces, this is my crash report:
allocation, no alignment
don't give a fuck if it faults on assignment
this is fatal abort()

CUT MY LIST IN TWO PIECES

THAT’S HOW YOU START QUICKSORT

Closed the 6th floor. 3&4 are still going. Berlin and Toronto are the last offices.

it's still the mozilla office 👋

Echt Hammer, wie schön die Radwege sind. Aber wieso sind diese Fahrrad-Symbole so erhaben. Hätte man die nicht auch in glatt hingekriegt? Frage als absoluter Laie :)

Just watched the talk video. well explained! So sad, that there are so many findings. Would you say most DOM-based XSS is mostly `innerHTML =` or what do people usually do?

thank you!