This is amazing. But someone will do arbitrary code execution 😀
damus android/desktop can now render 3d models inside of posts. this is not an embedded video, its rendering a 3d object directly.
lmao
https://jb55.com/s/renderbud-notedeck-demo-2026-01-18_16.16.58.mp4
Discussion
gltf files can execute code? how so
all this code does is load gltf vertices and materials. I can’t see how you could attack that
maybe you’re thinking of a web context? This is way more sandboxed than web graphics apis. The only exploit points are memory DoS (easily prevented with max file size limits) or exploits in the image loader. But these issues would already exist in existing image loaders we already use.
We don’t do any shader compilation or anything on remote resources.
Maybe you're right. I like it.