zlacker

>>jjcm+(OP)
Congrats on the hard work, and the idea is fine, but the problem is that tech like this is a cheap commodity in a massively oversaturated space, and without a hook that makes the platform exceptional (innovative/clever/beautiful design, unique aggregation features, inherently interesting content, reimagined user/content/moderation dynamics etc etc), this kind of thing is dead in the water because it lacks a network effect. Add in the upfront subscription model and failure to launch is basically assured.

When I visit the root domain I shouldn't be greeted with a marketing splash page, you need interesting content in the user's face right away, entice their curiosity and drive the user to explore the site... even as a fellow developer, my first instinct is to abandon the page as soon as I'm greeted with the cliche startup marketing page. Consider the user experience when I visit reddit.com or news.ycombinator.com or any other link aggregation competitor. What you have now is a tech demo, not a platform. Sorry if that's a little harsh, but I mean well! Good luck!

>>root_a+Ih
Mostly agree. The screenshot in the top right looks good, like professional app I might actually use. But I want to actually browse the site and check it out without first slogging through a registration process. If it’s free to view/browse anyway, then enable doing that without registering. Register and pay if you want to post.

Edit: You can browse without registering after all, here’s the link: https://non.io/#all (didn’t see it on the landing page or OP post).

>>SkyMar+aj
Oof, I clicked one of those posts and immediately lost all back-button functionality to an endless stream of history events.

>>neogod+Vo
Also, when I visit the #all page I get two weird window.alert()’s, first says 5, second says 1. I’m on mobile Safari now so can’t really investigate, but is the site getting script injected??

>>oefrha+Vu3
Yes, the site is vulnerable to XSS, couple of interesting payloads on there so far

The current top post uses this XSS to have users upvote it:

<img src="a" onerror="soci.postData(String.fromCharCode(112,111,115,116,116,97,103,47,97,100,100,45,118,111,116,101),{post:String.fromCharCode(120),tag:String.fromCharCode(120)})">

Which sends a POST request to `posttag/add-vote` for the post labeled `x`

>>Antony+Uw3
I suppose that makes sense if you get payed for upvotes, stored xss is probably just the most low hanging fruit, if they messed that up I'd expect everything from csrf, clickjacking, sqli and more, everyone has the incentive to look and exploit. They should probably get a thorough white box review.