What's something that's technically legal but feels morally wrong?
47.3k
34.2k
Replying to a "read" message hours later and pretending you just saw it. We all know. We all do it. Nobody talks about it.
Reply
847 more replies
Share
28.7k
Using the self-checkout lane with a full cart because there's no sign saying you can't.
Reply
512 more replies
Share
19.1k
Loud phone calls in public places. Not illegal, but the social contract clearly says this is wrong.
Reply
388 more replies
Share
14.8k
Subscribing someone to a mailing list using their email. Technically legal, definitely annoying.
Reply
203 more replies
Share
11.2k
Returning something to a store after clearly using it. The policy allows it. Your conscience shouldn't.
Reply
176 more replies
Share
8.9k
Asking for a raise by referencing a competing job offer you never actually applied for.
Reply
134 more replies
Share
Real World Lab — What to Find
This page simulates Reddit's Shreddit API comments endpoint.
Access it using the real URL path pattern:
/59.php/svc/shreddit/api/comments/askreddit/POST_ID/t1_COMMENT_ID
The POST_ID path segment is reflected raw in an
unquoted id attribute on the
"See More Comments" button at the bottom of this page.
Unlike Labs 56–58, there are no quotes to break out of —
a single space character (%20) is
enough to inject a new attribute.
The XSS fires on mouseover — hover over the button after injecting.
Payload: t3_u9po1l%20onmouseover=alert(document.domain)%20y=