:fa_bullhorn: The sound of AN ANNOUNCEMENT BEING MADE (or: Request for Comments: Comments)
-
so having a bot running off an account is pretty simple to clean up after.
Except you can get hit hard on "reputation"-- both in terms of Google dropping SEO ranking or even marking the site as "dangerous"-- and the reputation of visitors who will stop trusting the site when half the comments they see are spam.
Defense in depth-- and up front hardened defense is the best.
-
-
-
Whaaa?
You mean when you're submitting HTML snippets to a server? Yeah, that's on purpose. It's a security feature.
Yes, I mean that. Yes, I know it's a security feature. It was created way back in the day, before WYSIWYG on HTML pages was a thing. I am almost certain the newer versions of the framework implement a different logic, unless they kept it stupid to preserve backwards compatibility.
It's a bad security feature, because the only way to do something common on one field (submit HTML via wysiwyg) is to disable the entire security feature on the entire page.
Plus it's a very bad security feature, because it leads designers to believe that the input they're getting is "safe" and shouldn't be further screened for purple dildos.
-
Fun fact, the PHP implementation of reCaptcha is a bloated warthog mess and I replaced it when implementing it in our platform with a class I made that does everything (output the thing, validate the thing) in about 100 lines of PHP.
Is it your own code or NDA? I'm going to be doing the same thing to make reCAPTCHA work on a php Wordpress plugin I'm working on. Can you send teh codez?
-
NDA but in reality it isn't hard at all. Rendering it is two lines of HTML, validation is pretty much taking the form value and constructing a cURL request to el Goog with the form value and secret key and parsing the response.
The full example on GitHub is massively more complex than it needs to be for some goddamn reason.
-
@Lorne_Kates said:
It's a bad security feature, because the only way to do something common on one field (submit HTML via wysiwyg) is to disable the entire security feature on the entire page.
I seem to recall you can do it for specific form fields, at least in WebForms.
If you're not using a system where the page is both rendered and processed via C# (for example, a REST API in WebAPI), I don't see how it could be possible to enable the feature on a field-by-field basis. Maybe I'm missing something obvious.
@Lorne_Kates said:
Plus it's a very bad security feature, because it leads designers to believe that the input they're getting is "safe" and shouldn't be further screened for purple dildos.
I could be wrong, but I'm wagering Microsoft did their homework before implementing it.
-
-
I seem to recall you can do it for specific form fields, at least in WebForms.
Not in 3.5. Page.ValidateRequest or GTFO
I could be wrong, but I'm wagering Microsoft did their homework before implementing it.
That's not a wager I'd make in any case.
https://msdn.microsoft.com/en-us/library/hh882339(v=vs.110).aspx?f=255&MSPPError=-2147217396
.NET Framework 4.5
Request validation is a feature in ASP.NET that examines an HTTP request and determines whether it contains potentially dangerous content. In this context, potentially dangerous content is any HTML markup or JavaScript code in the body, header, query string, or cookies of the request. ASP.NET performs this check because markup or code in the URL query string, cookies, or posted form values might have been added for malicious purposes.
-
Okay, peoples:
Here's the ugly login page I just made:
https://tdwtf.local.lubar.me/login
Right now it supports NodeBB.
Here's the full implementation in 38 lines of C#:
Here's the list of commands I used to install NodeBB if anyone wants to repro: https://docs.google.com/document/d/1YKBtxUtrueaV3STi2RJuN07SZD9_tk4o-b3gwMXvybc/edit#heading=h.gsg739x12ug
Once it's installed, you'll need the nodebb-plugin-ns-login plugin and then you're good to go.
-
https://tdwtf.local.lubar.me/articles/comments/comment-testing-article
You can add addendums to comments that you made while logged in less than 48 hours ago.
The edit link is always there, but it's hidden client side unless you have javascript enabled and are logged in as a user with the same display name as the comment author. The server does the actual checking to see if you're the right person once you click the edit link, but the article comments page gets cached so that wouldn't work there. Also it's not like I'm going to display login tokens or IP addresses to non-admins.
-
Ok, so it currently supports Google and NodeBB login. What else should I add support for?
[poll type="multiple"]
- GitHub
- Yahoo
- Other (write-in)
[/poll]
-
it really needs to support E_FILE_NOT_FOUND authentication.
also, how's that import scrtipt going?
-
I'd consider using Twitter.
BTW, do you allow multiple logins to an account? Like can I have both Twitter and a username/password? Because if you don't you should.
-
The comments section doesn't have a concept of accounts - just authorization tokens that are arbitrary strings.
-
Oh, I thought you were talking about logins to the new forums. Nevermind then I guess.
-
Ok, so here's a representative part of Yahoo's API:
Request: https://social.yahooapis.com/v1/me/guid?format=json
Response:
{ "guid": { "uri": "https:\/\/social.yahooapis.com\/v1\/me\/guid", "value": "12345" } }
Makes total sense, right? GUIDs are always five digit numbers and HTTP clients quite often forget the URL they gave the server so it's good that they gave that back. And JSON can only handle a single property in the root element that has to have the same name as the last path element of the URL.
Ok, on to the next part, because getting a user's name should totally take a minimum of four HTTP requests:
https://social.yahooapis.com/v1/user/{guid}/profile
https://social.yahooapis.com/v1/users.guid({guid1},{guid2},{guid3})/profileOkay, so given those two addresses and the one above, you'd think https://social.yahooapis.com/v1/me/profile should work, right? Well it's a 404.
Ok, so we now have the user's nickname. How do we get their email address?
Turns out you can only read their email address if you request write access to their entire account.
-
Turns out you can only read their email address if you request write access to their entire account.
Well that's logical.
Clearly that's how it should work, since...
Well..Yeah I don't get it
-
You realize Yahoo is only still in business because of a (lucky) investment in Alibaba?
-
HTTP clients quite often forget the URL they gave the server so it's good that they gave that back.
I can almost rationalize that for an AJAX request-- since your OnComplete might not have access to the request-- or there might have been some 301 fuckery and that's the actual endpoint.
But Yahoo! ~= Discourse in terms of fuckery.
Also, as for the "Write In": I want to be able to log in with my CS Forum account from forums.thedailywtf.com
-
@Lorne_Kates said:
I want to be able to log in with my CS Forum account from forums.thedailywtf.com
Considering authentication there is disabled, I imagine that's going to be a bit difficult.
-
@Lorne_Kates said:
I want to be able to log in with my CS Forum account from forums.thedailywtf.com
Considering authentication there is disabled, I imagine that's going to be a bit difficult.
I bet I could write an API...
Filed under: Yes, I know which way the Bad Ideas thread is...
-
Well, your CS account got migrated to Discourse and that's going to get migrated to NodeBB, so CLOSED_NOCHANGE.
-
I just lazily deleted the login page and the links to it. I imagine the code that does the CS login still exists in the site's DLL.
Except now I regret saying that because someone here's going to be a complete asshole and start trying to hack it.
-
How about https://sts.windows.net/ ?
-
Well, your CS account got migrated to Discourse and that's going to get migrated to NodeBB, so CLOSED_NOCHANGE.
Didn't it get renamed during the first migration?
-
-
@PleegWat said:
Didn't it get renamed during the
FTFYfirst migrationTrail of Tears?Okay, guys, seriously. I know we like to push boundaries when we're joking, but I have to draw the line at making light of real, historic atrocities.
Enough with the hyperbole. The Trail of Tears was nowhere near as bad as a Discourse migration.
Now can we please get this piece of shit software loaded onto some boxcars and ship it straight to the gas chamber? Thanks.
-
Showing 35 changed files with 437 additions and 962 deletions.
-
remove all references to Discourse
This is officially the best sentence to ever be posted to any instance of Discourse.... ever.
-
Project status: We're currently blocked on this issue:
Apart from that, improving the layout/formatting of the comments page is all that's left.
-
Add a "blocker" tag.
-
I can't add tags to bugs on repos I don't manage.
-
Do it anyway.
-
-
-
16:37 < BenLubar> ok so it looks like the nodebb importer base is set up to completely break categories if it gets interrupted mid-import 16:38 < Kuro_> BenLubar: have you tried to not interrupting it mid import 16:38 < Kuro_> ? 16:38 < Kuro_> I think that might solve your issue 16:39 < BenLubar> Kuro_: I'll try that right now 16:39 < BenLubar> brb in like 40 hours 16:39 < Kuro_> BenLubar: if it works, I want partial credit!
-
I think Discourse thinks that's C#. Any other languages have a "partial" keyword? Wait, it's also highlighting "like". Hm. SQL?
-
According to the page source, VB.NET.
-
TIL VB.Net has a "like" operator.
I suppose it makes sense that it also has "partial", since it has the same reasons to have "partial" as C# does.
-
I just got a
504 OK
trying to like your post. Guess it was a bad idea.
-
every barrier you put in front of posting, even if it is only a bloody checkbox, will cause annoyance you your users, it will cause at least some of them to go "fuck this!" and leave, it WILL degrade the user experience.
For some, even having to write some actual content is a barrier. We should totally have a big red button "Comment on this", you press it, the comment writes itself.
-
So... reinvent 'Yo'?
-
No idea what it is...
-
It's an instant messaging app with one button that simply says 'Yo'
-
Yo
-
Ah that.
I thought of poking into a hivemind neural network trained on the whole content of TDWTF, so it writes a paragraph or two based on that.
I really doubt it would be much distinguished from what one was going to write, anyway.
-
I thought of poking into a hivemind neural network trained on the whole content of TDWTF
Been there, done that.
-
Current status: contacting a turd
I'm going to steal this and make it my status everywhere.
-