Var x = document.getElementById("MainContent").style; x.backgroundImage = "url('http://i.imgur.com/2eODocT.png')"; x.backgroundSize = "100%";</script>
-
Apparently jQuery works very intermittently on the main page, so take two.
--
Edit -PJH.Ok guys, stop breaking the main site please.
-
This hasn't hit the front page yet (caching?)
I also find it funny that the title is so long that it overflows off the screen in the reply window at the bottom...
-
Bingo, now it's there.
-
-
Maybe it was - but it is concerning that Discourse continues to save the subject totally unprotected and relies on the front layer to display it safely, as opposed to saving it in a known-safe format.
-
Eh, storing content safely was the reason we ended up with that horrible abomination called "magic_quotes". Bugger that, let the front layer treat it as unsafe no matter where it comes from - database, direct input, anywhere.
-
Excellent Smithers.
Release the hounds.
.
although, now that i think of it i think we already did.
-
No, no it wasn't. Magic quotes came about by trying to protect new users from themselves, not ensuring what's in the database is sane.
The problem with ensuring the front layer treats it as safe is that you have to remember to do it everywhere, including third party bridges, which is precisely what has been exploited here (again).
-
The problem with ensuring the front layer treats it as safe is that you have to remember to do it everywhere, including third party bridges, which is precisely what has been exploited here (again).
I'd argue that if a third-party bridge doesn't sanitize its data itself, it's the WTF.
I think CS did the "store sanely in the DB" thing? At least I haven't seen anything hitting the front page before Discourse.
Still, I blame Alex.
-
The problem with sanitizing it beforehand, is that you either end up with something reversible like magic quotes, or you loose the original content. The latter does not seem too bad, granted, until for some reason you want to make a change to your frontend somewhere in the future, and then you're stuck with whatever sanitation method you decided on, regardless of how appropriate it is. I have seen this go wrong more than once.
In contrast, applying the same sanitation method everywhere in your front-end should be easy to automate and easy to change. Heck, I would never trust anything from a 3rd party to be safe or sane anyway. Even when it is explicitly that third parties job to sanitize. That bit me in the ass as well, once.
-
I get where you're coming from, but I'm not convinced it's the best policy to go that way. I've just seen too many instances of 'we'll cover it in the front end' go horribly wrong.
-
I get where you're coming from, but I'm not convinced it's the best policy to go that way. I've just seen too many instances of 'we'll cover it in the front end' go horribly wrong.
Why can't the templating engine handle that?
-
isn't this like the 4th different topic doing this in 2 days?
-
Why can't the templating engine handle that?
I suppose it's relevant to my background, really. I've come from an environment where users do stupid shit all the time and if the content wasn't pre-sanitised they would get into such a mess.
-
I've come from an environment where users do stupid shit all the time and if the content wasn't pre-sanitised they would get into such a mess.
Oh, right, PHP.
-
No, not just PHP. This particular strain of WTF would apply with anyone who isn't a programmer being a have-a-go-hero and making a hash of it.
-
making a hash of it
tbh, if the topic title were a hash, it wouldn't have XSSed the front page, so that sounds like a more acceptable way of dealing with it than what is being done currently.
-
holy crap that image is so big now.
-
@Maciejasjmj My little pony soundtrack the main page?
-
You know, some little kid is going to come along and post a redirect to lemon party at some point.
-
well they are now you suggested it!
-
I'm with the "store it verbatim and encode it on display" people. I might want to use that header in non-HTML contexts, such as an email subject or in a report, and I'd rather avoid keeping two versions. If a third party isn't savvy enough to correctly sanitise the data before output, they might well use the wrong version anyway.
-
For what it's worth: I have seen both ways go wrong. Sanitizing before storing is arguably easier since your whole system can then assume all stored data is safe; that also allows different sanitation levels depending on where the content is coming from (i.e., if I write a post myself I will allow HTML, if a user does it everything gets scrubbed, and both posts can be handled by the same front-end). On the other hand, if you then ever do get malicious data in your system (for example, when a 3rd party component does not adequately scrub), it tends to be a real pain to fix.
The main reason why I would sanitize on the front-end, is as someone else mentioned, for scenarios where you have different views with different requirements. Unless you store the original as well as a sanitized copy (another solution I have seen, and would not recommend), you might otherwise loose information. Either way can work fine though, as long as you do it absolutely 100% consistently.
-
Oh, I've seen both ways go wrong too. It's just been my experience that getting the data to some semblance of 'safe' (i.e. htmlspecialchars before it hits the DB) is usually the lesser of the evils.
-
Oh, I've seen both ways go wrong too. It's just been my experience that getting the data to some semblance of 'safe' (i.e. htmlspecialchars before it hits the DB) is usually the lesser of the evils.
Until you want to use it in JSON and end up throwing in lots of html_entity_decode, anyway...
-
This could get confusing.
-
Like Burns avatars?
-
Worse, because at least the burns avatars are differentiable.
-
They are now
-
Is this better?
Edit: anyone else seeing a completely blank avatar now for me?
-
Yup, that's what I'm seeing. Except in the little 'reply to area' where I see a face instead.
-
Ah Discourse, TRWTF.
-
Is this better?
Edit: anyone else seeing a completely blank avatar now for me?
Can I recommend the following?
http://www.happytoydepot.com/images/store/items/swvwdrthmaul.jpg
-
Yes it is.
-
I approve.
Edit: except it still doesn't seem to work properly. What a twist!
-
I approve.
Edit: except it still doesn't seem to work properly. What a twist!
Give it a few minutes. Discourse takes a while to update everything.
-
Give it a few minutes. Discourse takes a while to update everything.
So it does. How bizarre, I don't think I've ever seen forum software that has a delay on uploading an avatar before...
-
I don't think I've ever seen forum software that has a delay on uploading an avatar before...
Discourse is the first of its kind in many aspects.
Filed under: Most of them negative.
-
I certainly haven't, and I've had the circumstance to review a number of them.
-
Oh, I've seen both ways go wrong too. It's just been my experience that getting the data to some semblance of 'safe' (i.e. htmlspecialchars before it hits the DB) is usually the lesser of the evils.
At least now, if anyone does happen to find a/an* XSS, you can actually fix it without having to update all posts in the database. Imagine you forgot to blacklist a tag, or accidentally whitelisted a tag, that allows javascript, or the sanitation turns out to be slightly wrong (see 4images). If it's sanitised in the database, you're screwed. You're probably going to have to write a script to fix it otherwise.
And you know, discourse, with this many WTF's, there are bound to be some of those, right?*) Damn it, is it "a XSS" or "an XSS"? As in: "an ex-ess-ess" or "a cross site scripting"?
-
Usually it's 'an XSS'
On the other hand, if you're blacklisting tags you deserve every single thing you get to go wrong anyway. Start by locking everything down and selectively permitting content.
-
It's not delayed uploading an avatar, you can upload hundreds of images in a row. It's just slow updating your --posted-- avatar image (though reply to and profile view are fine)
-
Most people say it as 'an XSS', but most people are also grammatically wrong.
Unless you're pronouncing it with an 'e', then who the fuck knows.
-
I tend to pronounce it as an initialisation rather than attempting to make it an acronym thus, "X-S-S", and since with my accent, X on its own is 'ecks', 'an' is the correct way to go.
-
Who's breaking anything, PJH? We give you the benefit of the doubt: If you programmed the site to allow us to put Mr Burns on the front page, you must want us to do so.
So, Thanks for allowing us to mess with the front page!
-
I pronounce x as /x/.
-
Discourse is the first of its kind in many aspects.
Filed under: Most of them negative.
You couldn't perhaps give an example of a positive aspect?
-
Unless you're pronouncing it with an 'e', then who the fuck knows.
I generally pronounce it with 'i'. XSS OTOH tends to be ex-ess-ess.
-
Front page programming (the stuff this topic broke) is Alex's responsibility, not Jeff's.
Play nicely.
-
You couldn't perhaps give an example of a positive aspect?
Everyone loves infiniscroll.