#👾-core-development

why is bro using media1.tenor.com

📮?

lc.ocr

LOVE

wtf is this gif

bad ocr

LOL

o not 0

https://media1.tenor.com/m/G3of84wq-DYAAAAC/horusultra-rias.gif

its uh

hsdxd

i would be embarassed to have this in a discord theme

vencord users have no shame

does this guy have 4 different wallpapers

im so confused

bro thinks vencord is wallpaper engine

a

spammer

🙄

Was about to say litterbox but thats temporary uploading and would be pointless

indeed

all it takes is 10 minutes to fix all the theme issues and people are complaining

can you use images hosted on discord? that seems like the easiest solution

cdn links expire

the client should auto regenerate them if retrieved from within the client, no?

does that not work when used in this way I guess?

no

im pretty that only works for links sent in chat

these are all just being fetched via the browser itself

yeah just tried it. makes sense

lol

@austere talon gl with theme support

wha

oh that's an oversight @oblique hound #86004744966914048 message

oh self hosted cloud sync...

Thought so haha

idk how to fix that honestly

I’ll just use the public one in the meantime

You could require a specific path. Like "*/vc-cloudsync". if people are able to selfhost it, then they should be also able to configure a path on their reverse proxy

we will sunset the feature of custom cloud sync server

Or that lol

Code in work hours or code after midnight, no inbetween

nah

I'll fix it dw

Average AWS free tier user

insane 😭

i do that

or keep original idea of premium gating no CSP

donors all deserve to be hacked

Honestly it could just be toggled by dev mode

like i said earlier, a toggle somewhere to disable it with a ton of warnings

nah

That's technically just creating potential for more scam

"to use this theme you must first click these 3 warnings!!!!"

So useless

or maybe just add the toggle if it is built from source?

^

damn i didnt see that part

But yeah I doubt any malicious person would guide through a pnpm install atp just trick the victim into using a malicious installer

oh wait, i forgot, midnight uses wikipedia for the moon icon

I do not mean to give tips to anyone by saying that

Thanks FBI

that's not really what csp is protecting you from

Just quickcss it away

but yes blanket disable will never be added

No it's not but if someone wanted to use a theme maliciousoy

yeah should be able to defer the majority of the users, and the minority should be suspicious

it's not really to prevent you from malicious themes anyway

a good csp is very beneficial in many regards

unfortunately discords csp is not good in the first place so you miss out on a lot of potential security but hey it's better than nothing

Fair

is wikimedia not whitelisted

husk

doesnt seem like so

seems reasonable as something to whitelist tbh

@austere talon you are terrible and everything you touch turns to ash

"wait you didn't whitelist hundreds of different niche domains of big websites that maybe 2 themes in existence use????"

fafa

hello

hiiii

i woke up to my plugin exploding

DisableCsp plugin coming soon

nuh uh

@austere talon you forgot companion csp

love

does it use localhost instead of 127.0.0.1

i will pr guhhhhhh

no

uses 127

HOW

why doesn't it worm

it should

crumbsniffer was using my fork

csp broke it

connect-src 'self' ws:;

wtf is that

so fake

does discord not pass that already

arrpc works

show the csp error

@opaque silo

@austere talon guhhh add wikimedia

midnight uses it

never

insane

sadan is just insane

u made the change on built in companion

his fork just needed it too

INSANEEEEEE

@fossil inlet

soon

the evil ".concat(b ? "0" : "1") vs the wonderful ${+!b}`

explain

tf is that

the concat isn't real discord code

it's their bundler

the source code is format string

¯_(ツ)_/¯

no real person uses concat

insane bundler then

H-h-h-h-h-h-h-h-h-h-h-h-hey vencord owner 🥹 Can you merge ❤️

fym directly refer to image

non direct like won't even work

and I disagree with adding gofile

???

you can embed imgur links using imgur.com instead of i.imgur.com

how come?

reddit

Why would you use reddit...? Posts can be deleted, subreddits closed, accounts stolen and emptied

i don't think playing the game of adding random shady filehosts because 2 themes use it is a good idea

How is gofile a shady file host 💔

Seriously what is the point in this stupid csp shit

Oh no imma get ip logged

💔

Csp does not exist to protect you from malicious themes

It's one of many layers of defense to protect you from unexpected threats

What unexpected threats am I gonna get from css

Nothing

It blocks domains for the entire app, not just css

Css is not dangerous

My snippets

Yeah but someone can easily just upload the script to github and call it a day

(Though it can burn your cpu to pieces if you're stupid)

BREAKING NEWS: New widespread XSS attack on discord only affects Vencord because they are too fucking stupid to set up CSP correctly

If someone manages to execute arbitrary code via a github link, you have worse problems than your discord being hacked

Also fun fact guys, if you don't like CSP, just remove it by reverting the commit on your fork <3

But yes, permitting GH is also somewhat dangerous

Problem solved

It's just that vencord couldn't work without it so it's a compromise

Oh sorry, that was from an alternate universe where vencord didnt actually bother to set up CSP! glad we did!

And this hasn't happened at all on any other mod because why. Also, the browser version of discord already has csp enabled. The discord app also doesn't have cookies to other websites. This literally solves nothing lmao

If yo shit is broken by csp, fix yo shit

Nooo wym someone wants to host their own images sorry..

Fuck is that emoji

Connecting to arbitrary untrusted websites is a bad idea

i fucking hate discord

because no widespread XSS attack has been found yet that is specifically mitigated by CSP ¯_(ツ)_/¯

Don't we all

Then let the user disable copy

Csp

Dont force keep it enabled

Are you offended by "warning: do not swim with piranhas" signs as well?

No? 😭

I just think its stupid that its not an option the user can disable

It should be on by default

Then why are you offended by this particular "do not swim with piranhas" sign

if you know how to clone the source, remove csp you can do that!
if you dont, you shouldnt! as shrimple as that

Theres a difference between a discord mod and death

What is your point here

Yeah you'll only get your account hacked rather than your leg being bitten off

Literally what i'm saying

Again, you can literally load stuff directly from github

that adding a specific option exposes people to danger and if this gets abused by a malicious attacker later on vencord & other client mods will be blamed

What is this preventing

And not just github but also github pages

having the knowledge to dig through code and remove csp means you should know how dangerous disabling csp is

this is exactly the same thought behind userplugins

The guy that use cursor : nah i just told it to remove CSP and everything is fine

Maybe, get this, the user should know what they're installing 😱

Yes

Indeed

User can install a vulnerable custom build if they want

But most users don't want vulnerabilities I think

now snap back to reality & most people dont
most people dont know what the funny switches do in your settings & most people dont know what csp actually is
& the users will still blame vencord when something goes wrong

So what if they blame vencord? Not like anythings going to change. That's like blaming windows for letting you install a virus

Because you are asking for vencord to add a "allow vulnerability" switch

vencords reputation gets fucked and people will stop using vencord

And yes, windows allows you to install viruses

It does its darnedest to prevent viruses from installing themselves by receiving a malicious chat message, though

Discord has context isolation on in electron. There is no benefit to this especially when they can again, put the script on github.

Windows literally use many popups to prevent you from installing shit on your own machine

Sometimes even blocking legit stuff

No they dont bro😭

That's windows defender not windows

And it's annoying
But it's F great so i don't have to fix my grandpa computer every fucking day

Exactly the same

Vencord now ship with Vencord Defender
If you are not happy, clone the code and remove it and that's it

I can uninstall and disable windows defender

Windows defender is a separate app shlawg🥹

By actually digging deep and forcing Windows, same shit here
Get the code, change it and you good

Yes and you will make every security-aware person on the earth cringe if you do so despite the dozen warnings you get

You can build Vencord yourself and disable csp

Write yourself a userplugin to add specific ones you want dynamically if you want, it's just not supported officially

This will only make this situation worse. People will go to shady repos where csp is disabled and God knows what is in there.

This is a literal perfect attack vector

do you genuinely think people without any knowledge of csp will see "failed to fetch" or "unsupported domain" or whatever and google "vencord without csp" & download vencord from an unofficial source instead of the theme developer just changing their theme to use a valid url 😭

CSP here exist to make sure that Ven isn't liable for you getting hacked
If you want that responsability release Kodacord without CSP, but stop complaining

fun fact a theme can log your (first 3 digits of) user ID or whatever you're typing ask @inland fable he's done like 900 of these POCs

the resource itself is irrelevant

the resource host is

your average idiot uses themes with sane resources

only like two people will link hsdxd gifs from tenor (real world example)

Damn bro let it go Im tired and dont wanna argue anymore

discord own csp is so crap it doesn't even prevent XSS

discord moment

Wot how ?
I'd actually like to understand how the F it could even do that

so no it can't stop XSS unfortunately because of discord

if discord used a better csp I would also make sure it's XSS safe

dnr-rules.json: Lines 7-10

"responseHeaders": [{
  "header": "content-security-policy",
  "operation": "remove"
}]

Lmao

lol i don't think there's any better way to do this in tauri

the vencord extension also just removes the header

peak

should probably show an example... like even for simple shit it adds random stuff sometimes
I've also seen times where it's just a word and it adds like a million words of context to explain it better, instead of just translating it

deepl is very inconsistent from my experience and the accuracy is also sometimes lacking

If you translate a single word, translating that word as detailed as possible is a good thing

open pr
close pr

@austere talon you LOVE those prs right

i read "updated github actions workflows" and thought it was a spam pr

just another case of someone opening a pr on the wrong repo xd

why would you host css on pastebin

i would rather host MALWARE on there..

Well, I would never use pastebin. I think that it's good that you can make something without creating an account on it.

we need someone to blame when someone complains about lag in #🏥-vencord-support-🏥

just blame nin0

themes

blame @austere talon for lagging the token

https://github.com/Vendicated/Vencord/blob/6140b9581496a1102839cbefbd2fa1b41a6f4c12/src/webpack/common/components.ts#L51

components.ts: Line 51

// token lagger real

Add pornhub.com valid csp

Best file host

Who caaaaaares oh no the theem is logging how old your discord account is with no other identity

Absolutely update

are you being sarcastic I can't easily tell

Yes

keylogger theme

100%

This is absolutely hot trash

Absolute meme of a change

Github gist is crazy

alt tab while holding delete

how

why

who tf is holding delete while alt tabbing 😭

that never happened to me in my entire life

but good catch

makes me wonder if that’s why my ctrl/shift keys sometimes stick… but it’s probably unrelated

that’s also a discord issue for me rather than a vencord issue

oops :3

oops

🎊 🔥

why is editing a pull request worth a webhook

updating this should be added to the publish workflow

lol

I assumed it automatically updated

wait I'm sure theres an actual dynamic shield thing

it's not really useful tho

redundant information

and the version number is meaningless

https://shields.io/badges/endpoint-badge

easy quick glance ig but there's other places on the ui for that

yes

the version number isn't relevant

and for the hash just look at the latest hash

https://img.shields.io/github/v/tag/Vendicated/Vencord

doesn't show the hash tho

wait yeah its meaningless

blehg

make the logo the vencord pink colour

the horror

🤥

you love

ew why all black

racist

make better colours

[ <:e:1263720914583949393> Removed by @crumbsniffer ]

?

[ :e: Removed by <@&1062536788184404069>rumbsniffer ]

JUST USE THR COLOIRS FROM VENCOR DOT DEV

ur soo stupdu

okay do

pr

pr to my pr

u stupid chud

??

ur being mean

apologize rn or I'm not pring the mono microphone

steromic is real

sorry my little chud

dont call me a chud ur the chud

@opaque silo authorise https://github.com/login/oauth/authorize?client_id=cceb16b11fcb57269101&redirect_uri=https%3A%2F%2Fimg.shields.io%2Fgithub-auth%2Fdone

i don't want your virus

leave me alone

https://img.shields.io/github/v/tag/Vendicated/Vencord?style=flat-square&logo=github&logoColor=d3869b&label=&color=1d2021&labelColor=282828

@vending.machine#0000

@austere talon

the pink just looks bad here

i think

actually it's alright

sure

soo flip floppy

@austere talon i might be doing it wrong but i cant repro the single ear microphone thing

ill pr the change cause disabling the plugin did fix it for him soo idk

make sure ur receiver actually can hear stereo from u

try streaming this https://www.youtube.com/watch?v=YwNs1Z0qRY0

well the guy said it was the microphone doing it

not the stream

stereo stream def works tho

yes ik but

make sure stereo actually works on the receiver

not all clients can receive stereo

that's why I told you to test it with streaming to make sure it actually works xD

ohh

ok well it does

soo idk

.,

not a fan of .{0,8}

.concat(b ? "0" : "1")

ulgy

matches the ternary

ur ugly

it's ulgy

FINE

@dusk blaze ur rotted in the head

happy?

imagine a Rust crate where you like define a plugin then plugin.exportTo("src/index.ts") then we'd have blazing fast plugins

did you get a lobotomy

new patch ulgy

actually horror

nuh uh

pure evil

dude ${+$1} is horrifying

its wonderful

you are evil @opaque silo

bad things will come upon you

you hecking chud

stop b eing so mean to me

it's out of love

does this make you happy

EVIL

i already pushed to ur pr

look u can't even tell it isn't official discord code

im going to barf

why

you sicken me

@austere talon intentionally makes patches unreadable to keep a monopoly on vencord development

wtf is dtx anyway

sound thingy

terrifying https://datatracker.ietf.org/doc/html/rfc7587#section-3.1.3

                    match: /"(minptime=10;useinbandfec=1;usedtx=)".concat\((\i).{0,8}\)/,
                    replace: "`$1${+!$2};stereo=${+$2};sprop-stereo=${+$2}`"

@austere talon im pushing

Discontinuous Transmission (DTX), where parts of the
encoded signal that correspond to periods of silence in the input
speech or audio signal are not transmitted to the receiver. A
receiver can distinguish between DTX and packet loss by looking for
gaps in the sequence number, as described by Section 4.1

no this is evil

remove the concat completely

$(+!$2)

STEREO MIC PLUGIN REAL???

unironically it is real

are u deliberately trying to make this as cursed as possible 😭

chud behaviour

STOP CALLING ME THAT

it hurts my feelings

despicable

dms

stay away from me

look how wonderful it is

esbuild wrote this code

i train chatgpt to write like that

i pr vencord a massive refactor to make everything clean and concise

???? why is it inverting them

😭

0 and 1 are numbers

treated as such

actually horror

!0 means to return true if the value is falsy, and 0 is falsy

cause it's converting the numbers to boolean

!0 = true
!1 = false

shorter

i do this for true !!!0

js gore @opaque silo

i should start writing like that

will make all my js blazingly fast

es team: guys let's add a new typeof value that comes after u in the alphabet
the evil minify optimisation: YOU SHALL EXPLODE

it's so funny that bundlers rely on the fact that undefined is the last type in the alphabet

and minifies to >"u"

working on ES spec must be so pain

trying to add a new method to some stdlib object? well think again because insane websites write their own methods to stdlib objects and you just broke amazon

that's why some methods have weird names in js

breaking amazon sounds like a good idea

official spec gets insane names while obscure libraires get normal

iirc array.flat() was supposed to be called array.flatten() but that conflicted with a very popular library that would define its own array.flatten and it broke popular sites

so they named it flat instead

i read that in some google blog

chatgpt found it

https://developer.chrome.com/blog/smooshgate

the horrors of javascript

The proposal author jokingly suggested renaming flatten to smoosh to avoid the compatibility issue. The joke was not clear to everyone, some people started to incorrectly believe that the new name had already been decided, and things escalated quickly.

lmao

why are they freaking out about a method being called smoosh

webdevs hate fun

oh my god...

@austere talon YOU HATE FUN

and this is why libraries should never ever pollute globals

(unless it's a 100% standards compliant polyfill)

ironic cause the library that caused this entire dilemma was called MooTools

🐮

is this a new dc change

nah

Discord web's encoder always uses mono

even for stream audio

that patch makes it stereo

but I fucked up and it also applies to voice, not just video

that commit fixes it so it only makes video stereo

it was causing issues for some users where their voice would only be on the left side lmao

probably because feeding mono audio into stereo encoder

so it would use the mono audio as the first (left) channel

btw can you replace the CustomCommands plugin with something else? pretty sure it’s gone

So is PronounDB

vendicated patch

yeah isn't stereo in streams new??

swear all clients always sent mono

yeah its fairly new

@austere talon do your quick reply changes fix https://github.com/Vendicated/Vencord/issues/3289

that issue isnt real

it always handled blocked messages correctly 😭

oh

you mean without NoBlockedMessages

no it only skips it if it's hidden due to NoBlockedMessages

does discord not expand the blocked message when you create a reply?

No

insane

you will pr fix

just make it expand ig

the changes mainly address skips when a message is deleted / created

Not really.

To create one, you would need to have it expanded already

previously when you replied to smth then people sent 5 new messages

then when you pressed down it would actually go down 5 messages instead of 1

that's what the change fixes

Ah

you crashed my browser

i closed ur issue tab and it crashed

Good

It’s working

oh my god i wrote this and then accidentally closed my browser I am so grateful that Github automatically saves your draft

@austere talon has been destroyed

surprised this hasn't been brought up more

themes with spaces have always been broken

i haven't seen a file with a space in the name since ages

me wondering why nothing is working

the perfidious malformed patch

guhhhh what am i doing wrong here

(this is for a userplugin, not my pr)

@fossil inlet

what the hell

happens whenever i reload a dev build with watch enabeld

bro didn't even test it (tbh i didnt even know that this wasn't the case either )

(me when broken code works better )

why are file names in camelCase and plugins in PascalCase

insane

Components in Pascal, everything else in camel I think

just make everything camel case

camel case so good

Upstream issue with jsx

@limber skiff i'm probably doing something obviously wrong here

this code used to work, broke when i tried it recently

you are

the second try catch

thanks

i will see if I can make Discord's csp actually safe

aka removing unsafe-inline

@limber skiff I wonder if it would be feasible to eval with a script tag

so we can also remove unsafe-eval

actually i think discord depends on unsafe-eval nvm

but I will still try this

Doesn't dev companion need that

why would it?

Isn't unsafe inline eval

no

Oh

unsafe-inline is

<script>alert(1)</script>

Oh

and also ```html
<img onerror="virus()" src="fake">

So like preventing HTML injection

unsafe-eval is eval(), Function(), etc

unsafe-inline is the biggest security problem

yeah

aka XSS

eval soo useful tho

For what exactly

stealing tokens

yeah but maybe we can emulate it with script tags trol

anyway i think discord depends on eval lmao

script tag with nonce?

ye

well

no need for a nonce

https://content-security-policy.com/strict-dynamic/

what prevents anything from doing the same then

with this only the root script needs a nonce

ah I see

basically strict-dynamic means

any script that passed csp (via nonce or hash) may create explicit child scripts without nonce and they will be allowed

but those scripts can't be parser inserted

<script nonce="awa">
    // Legal
    const script = document.createElement("script");
    script.src = "...";
    document.body.append(script);

    // Illegal
    const div = document.createElement("div");
    div.innerHTML = "<script>..."

so it's the best of both worlds

ease of use of unsafe-inline, safety of strict csp

it's fire

doesnt seem like anything even needs unsafe-inline...

i will try just removing unsafe-inline

@austere talon you should review https://github.com/Vendicated/Vencord/pull/2938

evil

do we really need to duplicate so much code 😭

Prob not

also test for compatibility with mentionavatars plox

In my PR I added a function that just returns the prefix, first part and second part to be used in the different render functions, could probably just steal that

does vencord not have classnames

whar?

Probably means classnames(className, { foo: true, "has-bees": bees != 0 }) for classname props

It has classes that does that I think

is this a good time to say I just finished getting my PR for this up to date too lol. it doesn't have suffocate's emoji fix though 🤔

ah man I didn't realize discord-types was an external package

it needs to be updated for my pr .-.

I think vee made it easier for it to be updated last time it was needed so probably not a huge ask

github for it hasnt been updated for 2 years

am I at the wrong place

Maybe I'm thinking of something else

idk this github only has 17 stars so I feel like im in the wrong place

only thing that shows up on google other than discord-api-types though which has a loooot more activity but doesnt seem to be the one?

Oh I was thinking about standalone-electron-types, my bad

You'll just have to type it yourself, I don't think there's really any maintained typings for discord because it just changes all the time

The api types are different

there is classNameFactory that works like that

no, it's been abandoned

the github for discord-types doesnt look like it's taking prs rn. what to do 🤔

I just put a // @ts-expect-error: line and it worked lol. is that fine or how should I handle this

you should review https://github.com/Vendicated/Vencord/pull/3382 and https://github.com/Vendicated/Vencord/pull/3346

(foo as any)

@fossil inlet

oh true

surely the test will pass this time

yippee

did you add anything more to your pr update that it didnt have originally cause part of mine was including yours

Just some Refactoring

oh you did update the unknown user patch which I accidentally removed earlier. yoink

well I spent like the last 6 hours updating those prs so time to sleep 💤

editor's note: gradients are the devil

GITHUB INSANE

somebody pressed send before it was done

do not blame others for your own shortcomings

me when i can send a message while things are still uploading

github bad ux...

:)

insanity how did 3 million webpack finds break

Wdym

lmao wtf was that

so good #1337479880849362994 message

sorry i bit the wires a bit

@inland fable could you send some of those POCs because i would actually really like how you can even achieve that with CSS, i really wonder about what tech could be used in an expected way (or was designed in a way that somehow can lead to that kind of thing)

Here

4 first digits i think

NOt sure if the classes are updated

wha the hell

ok i see

that's a bit big brain

altho not what you type, powerful

eh repeat but with every letter and the chat input

wait what

minified component names my beloved

Happy birthday to https://github.com/Vendicated/Vencord/pull/2570

am I insane or could this simply be every 2 digit number combo and it'd send every digit of the id then you could reconstruct the possible ids on the backend

erm wdym

there's no wildcard character or anything

you can match x first or x last (or both)

it does get unbearable laggy at some point too

oh I see

maybe it'd match from avatar hash too like that

but maybe not a problem maybe you're right

like you select for [src^="https://cdn.discordapp.com/avatars/][src*=10] so on

if the id is 10234 the selectors for 10 02 23 34 would match

then you can reconstruct based on IP on the server

could also maybe do the same trick for other identifiers to cross reference and narrow down the reconstructed possibilities

Surely you wouldn't know the order of the two digit combinations though

They'd just be in the order of the rules wouldn't they?

well if you get 10 02 23 34 rules returned they can only fit together one way

Sure but something like 430184 = 01 30 43 18 84
Could be 184301

I just woke up so that might be wrong but you get the idea

could also match for /1

so you know the starting digit

same for the end

I'm sure there's a bazillion ways to narrow down the order

anyway CSP stops this now I think

actually no because *.github.io is white listed

lol

This works now

Doesn't apply though

static site who cares

can't even use your own vencloud anymore

yes

will be fixed

aight

explode

i love commit messages

Me when "misc changes"

vencord will use conventional commits inshallah

doesn't matter when it all gets squashed on merge

it's feature branch buddy

i have a solution for you
feel free to copy my strategy

@placid hinge can you test Vendicated/Vencord#3476 with your custom cloud sync server? just with your existing config

HOLY SHIT TRUE

lmaooo

damn it was actually useful

the other comment is wrong but whatever

actually I think you should do the other too

nah the code is right

not because of the reason it explained

but its more clear

it shows what the expected url is

it's so users don't allow imgur.com

I know

oh wait

using !url.startsWith("https://i.imgur.com/") its more clear

i get it but

it's not guaranteed to be imgur xD

ahh

I see

it will disable anything but i.imgur.com

that's just one case

like if you try to load banana.com

yeye

it's obv not i.imgur.com

but yeah still good feedback then

I thought that code was specific to imgur

it didnt know it can be anything

actually solid suggestions

time to make copilot review all prs

I wont review rn cuz im about to sleep

sorryyy

all good

tomorrow is fine

need more testers anyway

vencord 2 coming soon, fully vibecoded

true again...

why are there so many keys

am i okay

(it's cause i refactored a lot of times, all of these used to be the top level element at one point)

it likes my code now 😊

NEVERMIND

even this is true 😭 but i am aware and decided earlier that i would just not support those cases