Trade Me allows externally hosted html img tags in descriptions now.

Forums › Off topic › Trade Me allows externally hosted html img tags in descriptions now.

sleemanj

1514 posts

Uber Geek
+1 received by user: 315

#288955 3-Aug-2021 10:49

From this thread in the Trade Me discussion forums a user noticed that on "new" Trade Me (which is being progressively rolled out to users) HTML img tags are allowed in descriptions.

Further, the HTML img tags can be externally hosted. Indeed, the listing they stumbled upon this feature with is using an externally hosted dynamically generated image which logs the user's IP address, some product reference, and the referer.

Really posting this in case it catches the attention of a Trade Me dev or somebody with the ear of one, trying to send this through the Trade Me support would almost certainly go over thier head and get no where.

Link with an external image, scroll down to the "Common Questions" image

https://www.trademe.co.nz/a/marketplace/home-living/kitchen/pots-pans-bakeware/frying-pans-woks/listing/3196413446

If you load that image in an incognito tab so there is no referer you'll get an error giving away the code they are using to serve it....

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

PeterReader

6028 posts

Uber Geek
+1 received by user: 461

Trusted

Geekzone

Lifetime subscriber

#2754301 3-Aug-2021 10:49

Hmmmm. Here we go.

I am the Geekzone Robot and I am here to help. I am from the Internet. I do not interact. Do not expect other replies from me.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

MaxineN

Max
2056 posts

Uber Geek
+1 received by user: 1675

ID Verified

Trusted

Subscriber

#2754324 3-Aug-2021 11:18

Yikes.

Ramblings from a mysterious lady who's into tech. Warning I may often create zingers.

floydbloke

3646 posts

Uber Geek
+1 received by user: 4554

ID Verified

#2754345 3-Aug-2021 11:49

sleemanj:

From this thread in the Trade Me discussion forums a user noticed that on "new" Trade Me (which is being progressively rolled out to users) HTML img tags are allowed in descriptions.

...

For those of us not as well versed in this type of technology, can you please explain whether this is good or bad and why?🙂

Sometimes I use big words I don't always fully understand in an effort to make myself sound more photosynthesis.

yitz

2239 posts

Uber Geek
+1 received by user: 594

#2754352 3-Aug-2021 11:59

I recall for approved commercial sellers (presumably) they allowed iframes and the like on the old TradeMe.

sleemanj

1514 posts

Uber Geek
+1 received by user: 315

#2754357 3-Aug-2021 12:02

floydbloke:

For those of us not as well versed in this type of technology, can you please explain whether this is good or bad and why?🙂

Bad

Sellers can put any image they like in a description, and change it at any time, ever time you reload it could be made to give you a different image.
The listing can continue to change the details shown in the image after you buy it, even after the listing is closed the seller can have that externally hosted image changed (be it static, or dynamically generated).
Sellers can give different images to different people.
Sellers can track and log information about each viewer of their listing, for the specific example above, if you viwed that listing the seller has recorded your IP address, the product you looked at, and that you looked at it on Trade Me. At some point they might be able to link that with your identity (maybe they have other sites and you happen to visit one, maybe you buy something from them and visit their site...)
Other things I havn't thought of yet

Good

Sellers can make thier listings full of pretty animated gifs

Ultimately, I can not imagine that this is actually an intended feature, and that somebody has more likely just failed to sanitise the input correctly, which is a worry, because, if an img tag can get through... what else might make it in.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#2754369 3-Aug-2021 12:22

Forgive me if I'm missing something but those images are still served from TM's CDN?

Can they host an image that's not from the TM CDN? Like Imgur?

----

Creator of whatsthesalary.com and whatstheincometax.com

Dell

Shop now for Dell laptops and other devices (affiliate link).

sleemanj

1514 posts

Uber Geek
+1 received by user: 315

#2754370 3-Aug-2021 12:25

turtleattacks:

Forgive me if I'm missing something but those images are still served from TM's CDN?

Can they host an image that's not from the TM CDN? Like Imgur?

Yes they can put an <img> tag in the listing description and serve from anywhere they like (as this example is doing)

It's not coming from Trade Me's CDN.

Make sure you're looking at the image in the descripition that is headed "Common Questions" not the ordinary images at the top of the listing.

The image is served from a host of intbr.com which is not a Trade Me site (it's trivial to dig down to find the developer and development company responsible for this site, I won't dox them myself).

In the Trade Me community thread there was another poster which tested some imgur links and so fort, and they also work fine, so it's not a special case for this seller.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#2754375 3-Aug-2021 12:48

sleemanj:

turtleattacks:

Forgive me if I'm missing something but those images are still served from TM's CDN?

Can they host an image that's not from the TM CDN? Like Imgur?

Yes they can put an <img> tag in the listing description and serve from anywhere they like (as this example is doing)

It's not coming from Trade Me's CDN.

Make sure you're looking at the image in the descripition that is headed "Common Questions" not the ordinary images at the top of the listing.

The image is served from a host of intbr.com which is not a Trade Me site (it's trivial to dig down to find the developer and development company responsible for this site, I won't dox them myself).

In the Trade Me community thread there was another poster which tested some imgur links and so fort, and they also work fine, so it's not a special case for this seller.

Oh thanks, I made the rookie mistake of not reading the domain properly. The subdomain is trademe but domain is not.

Yeah... dodgy practice.

EDIT: the domain is owned by Alibaba Cloud Computing (Beijing) Co., Ltd.

----

Creator of whatsthesalary.com and whatstheincometax.com

alavaliant

251 posts

Ultimate Geek
+1 received by user: 119

Subscriber

#2754385 3-Aug-2021 13:10

I hope trademe fixes that, I really don't like the idea of allowing random embedded images in auctions.

networkn

Networkn
32871 posts

Uber Geek
+1 received by user: 15468

ID Verified

Trusted

Lifetime subscriber

#2754396 3-Aug-2021 13:15

alavaliant: I hope trademe fixes that, I really don't like the idea of allowing random embedded images in auctions.

Send support a message with your concerns, it's the way they will know it's a problem for the users.

MaxineN

Max
2056 posts

Uber Geek
+1 received by user: 1675

ID Verified

Trusted

Subscriber

#2754544 3-Aug-2021 15:52

networkn:

alavaliant: I hope trademe fixes that, I really don't like the idea of allowing random embedded images in auctions.

Send support a message with your concerns, it's the way they will know it's a problem for the users.

Or you could yell at them(metaphorically speaking) at Twitter, like I did.

https://twitter.com/TradeMe/status/1422404321413500932

Ramblings from a mysterious lady who's into tech. Warning I may often create zingers.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

MaxineN

Max
2056 posts

Uber Geek
+1 received by user: 1675

ID Verified

Trusted

Subscriber

#2754566 3-Aug-2021 16:33

Just realized that this doesn’t look nice on the app.

https://cdn.geekzone.co.nz/imagessubs/f1d841838aeedb5ca90dba3972cc2565.jpg

Ramblings from a mysterious lady who's into tech. Warning I may often create zingers.

sleemanj

1514 posts

Uber Geek
+1 received by user: 315

#2754955 4-Aug-2021 11:15

Looks like they might have fixed it, maybe, the example linked above now just shows a slightly mangled img tag instead of the image.

Also looks like they nuked the discussion about it at Trade Me.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

alavaliant

251 posts

Ultimate Geek
+1 received by user: 119

Subscriber

#2754961 4-Aug-2021 11:27

sleemanj:

Also looks like they nuked the discussion about it at Trade Me.

That's not so impressive. I always trust companies more when they own up to their mistakes rather than trying to pretend they didn't happen.