From f33e061c9aa114fc9fb0e298e62dfa5a23bb3b3e Mon Sep 17 00:00:00 2001
From: ansuz <ansuz@transitiontech.ca>
Date: Wed, 10 Feb 2016 10:47:33 +0100
Subject: [PATCH] visit /hack/ to see what this is

I'll leave it up to the users to decide
whether XSS is a bug or a feature
---
 www/hack/index.html | 52 +++++++++++++++++++++++++++++++++++++++++++++
 www/hack/main.js    | 42 ++++++++++++++++++++++++++++++++++++
 2 files changed, 94 insertions(+)
 create mode 100644 www/hack/index.html
 create mode 100644 www/hack/main.js

diff --git a/www/hack/index.html b/www/hack/index.html
new file mode 100644
index 000000000..127ac6d1e
--- /dev/null
+++ b/www/hack/index.html
@@ -0,0 +1,52 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+    <script data-main="main" src="/bower_components/requirejs/require.js"></script>
+    <style>
+        html, body{
+            padding: 0px;
+            margin: 0px;
+            overflow: hidden;
+            box-sizing: border-box;
+        }
+        textarea{
+            width: 100%;
+            height: 100vh;
+            max-width: 100%;
+            max-height: 100vh;
+
+            font-size: 30px;
+            background-color: #073642;
+            color: #839496;
+
+            overflow-x: hidden;
+
+            /* disallow textarea resizes */
+            resize: none;
+        }
+
+        #run {
+            position: fixed;
+            top: 0px;
+            right: 0px;
+
+            z-index: 100;
+            width: 5vw;
+            height: 5vh;
+            background-color: #222;
+            color: #CCC;
+
+            display: block;
+            text-align: center;
+        }
+
+    </style>
+</head>
+<body>
+    <textarea></textarea>
+    <a href="#" id="run">RUN</a>
+</body>
+</html>
+
diff --git a/www/hack/main.js b/www/hack/main.js
new file mode 100644
index 000000000..6bdb1f456
--- /dev/null
+++ b/www/hack/main.js
@@ -0,0 +1,42 @@
+define([
+    '/api/config?cb=' + Math.random().toString(16).substring(2),
+    '/common/realtime-input.js',
+    '/common/messages.js',
+    '/common/crypto.js',
+    '/bower_components/jquery/dist/jquery.min.js',
+    '/customize/pad.js'
+], function (Config, Realtime, Messages, Crypto) { 
+    var $ = jQuery;
+    $(window).on('hashchange', function() {
+        window.location.reload();
+    });
+    if (window.location.href.indexOf('#') === -1) {
+        window.location.href = window.location.href + '#' + Crypto.genKey();
+        return;
+    }
+
+    var key = Crypto.parseKey(window.location.hash.substring(1));
+
+    var $textarea = $('textarea'),
+        $run = $('#run');
+
+    var rts = $textarea.toArray().map(function (e, i) {
+        var rt = Realtime.start(e, // window
+            Config.websocketURL, // websocketUrl
+            Crypto.rand64(8), // userName
+            key.channel, // channel
+            key.cryptKey); // cryptKey
+        return rt;
+    });
+
+    $run.click(function (e) {
+        e.preventDefault();
+        var content = $textarea.val();
+
+        try {
+            eval(content);
+        } catch (err) {
+            alert(err.message);
+        }
+    });
+});