:fa_bullhorn: The sound of AN ANNOUNCEMENT BEING MADE (or: Request for Comments: Comments)
-
Maybe some BBCode variant is better? I mean how much markup do we really need? [B], [I],[URL], [CODE], and [QUOTE], right?
And [U], for the 1.7 people that will use it
-
And
[CORNIFY]
.
-
Why not directly allow a subset of HTML? We don't need script, style or iframe (God forbid) but we must be smart enough to be able to use it properly.
-
Because sanitising HTML is surprisingly hard as CS taught us.
"I agree with whatever Morbs just said."
-
Parp!
-
@apapadimoulis said:
I mean how much markup do we really need? [B], [I],[URL], [CODE], and [QUOTE], right?
Also [FA-SPIN].
sorry, no longer welcome here
-
I have cornified this topic, pray I don't cornify it further.
-
And even worse, the situations where you need to escape them, but escaping doesn't work, and you get a literal
\
in the post. Maybe­­;
or&zwnj‌;
will work, or maybe not. Or maybe it will break in new and unexpected ways; WTF, Discourse, how have you managed to misformat this so badly?Seems like Discourse thinks you wanted to escape the first closing `.
You wanted to do
`\`
.Don't look at the raw for how I did that. Your eyeballs might melt.
-
Hey, I'm sure I can necro it in just a few months, if you'd like. Assuming that Dicksauce (or whatever replaces it) still keeps serving crufty old posts in the 'New Posts' section for me to make fun of.
-
\`
?Body is invalid; try to be a little more descriptive
-
Because sanitising HTML is surprisingly hard as CS taught us.
Not really. It's just surprisingly easy to overlook things that would break it. It's not that hard to verify that all tags are matching and nested correctly. And the code needs to be aware of different ways things can be escaped, so that it can unescape if necessary.
-
-
Seems like Discourse thinks you wanted to escape the first closing `.
Indeed. It was fine until I started adding more
`
s; then it decided to escape the earlier one. If I added another\
to try to get it to treat the\
is a literal instead of an escape character, then I got proper interpretation of the`
s, but both\
characters (i.e.,\\
) appeared literally in the result. So the\
is treated as both an escape character and a literal, at the same time.
-
Look, I'm not a very demanding person in general.
QFBS
I am utterly astonished at this assertion.
-
-
And [U], for the 1.7 people that will use it. Oh, and [INS] / [DEL] of course!
FTFY
Captcha: I'm overdoing it, ain't I?
-
Things that people agree on (or only one person has suggested and nobody has shot down):
- Allow authors to feature comments on their own articles (in addition to admins being able to feature/edit/delete comments anywhere)
- No XSS
- Don't buy cars from @end
Since the markup language seems to be the biggest disagreement, here's a poll:
[poll]
- CommonMark
- BBCode
- safe subset of HTML
[/poll]
-
BBCode. Seriously, why can't we just BBCode? Every forum I've ever been on has used BBCode. Plebes, newbs and grand-nongenderedAncestors all know how to use BBCode just fine. There are a billion and a half bb-code enabled WYSIWYG editors. It is a fixed. Solved. Work already done.
Here, let me just accentuate my post with a very subtle, understated and tiny-fonted hashtag:
#FuckMarkdown
-
Where's the "BBCode and safe subset of HTML" option?
-
Not saying it's a good idea.... but doesn't Disco support like, all three ([b],< b >, STARSTAR), at once?
[b]bold[/b]
bold
boldOh shit, yes. Looks like it does. no idea how to escape it though.
-
-
Like the poll (currently almost evenly split among the options), I don't have a strong preference for one over another. Pick a forum software (which seems to be NodeBB, apparently), and use whatever markup it supports out of the box.
-
-
Not saying it's a good idea.... but doesn't Disco support like, all three ([b],< b >, STARSTAR), at once?
[b]bold[/b]
bold
boldOh shit, yes. Looks like it does. no idea how to escape it though.
[b]bold[/b]
<b>bold</b>
**bold**Or...
[b]bold[/b] <b>bold</b> **bold**
-
But the dipshit who invented Markdumb originally made it work that way so now every other implementation has to have that stupid malbehavior too!
-
-
@Lorne_Kates said:
Here, let me just accentuate my post with a very subtle, understated and tiny-fonted hashtag:
#FuckMarkdown
Don't hold back, Lorne, tell us how you really feel.
Is anyone surprised that quoting destroyed the formatting? Anyone? Anyone?
-
Is anyone surprised that quoting destroyed the formatting? Anyone? Anyone?
#FuckDiscourse
-
Not saying it's a good idea.... but doesn't Disco support like, all three ([b],< b >, STARSTAR), at once?
bold****strong text
bold****strong text
bold****strong textOh shit, yes. Looks like it does. no idea how to escape it though.
[url="https://what.thedailywtf.com/t/book-teh-o-cial-discopaedia-abarker-creator-and-prophet-of-the-discopaedia/3866/752?u=lorne_kates"]Disclosed tagged that for you[/url]
-
-
-
Does this place look like Twitter?!
You're right, I should have paid some more thoughts to my audience.
Filed under: Fuck Discourse
-
-
Why not abuse the onebox plugin to onebox the front page article in the forum post? I agree separating them is bad but I don't like having that transition page either
-
How does that even parse from raw to cooked‽
-
Discoursistently?
-
no idea how to escape it though.
It's Discourse. There is no escape.Filed Under: Oh, you were talking about the markup?
-
-
So I looked up possible .NET libraries for reCAPTCHA, because the one in WtfWebApp only implements version 1 of the protocol and you need version 2 to have the super-simple "check this box if you are human" CAPTCHA.
I found a few things on NuGet that were either severely lacking features (such as the ability to generate the HTML needed for the CAPTCHA to show up on the page) or they pulled in huge amounts of dependencies which included a different version of ASP.NET than what the site uses.
Also, the original reCAPTCHA client project was on Google Code (I saw @PJH in the changelog. Hi, @PJH!) so obviously they must have transferred it to GitHub during that huge migration they did, right?
That's a PHP implementation of reCAPTCHA on top and a Java "implementation" of reCAPTCHA on the bottom. Let's start with the Java one.
https://github.com/google/recaptcha-java/blob/master/appengine/README.md
https://github.com/google/recaptcha-java/blob/master/appengine/src/main/java/com/google/recaptcha/STokenUtils.java#L74-L82That should be enough for you to judge the quality of the project.
The PHP one, surprisingly, is actually a full implementation. Seemingly the ONLY full implementation of reCAPTCHA v2 that exists anywhere. So I guess I'll be porting the important bits of that, then.
Edit: Wait, WTF was all that encryption stuff for if the API is just "give key to server, get result"?
-
I honestly don't think it would be that hard to roll one.
- Public and private keys go in db
- Same with some other settings, like theme style
- Output a bug-ass standard <script> tag, as described in the Gaggle docs.
- Gurgle handles all the client-side shit
- OnSubmit, it's a server-to-server API call with the input from the hidden field, your private key, and a couple other fields
- React to the response as needed
Wrap it in AJAX as needed on the login and comment pages, sending back sane error codes OnRequestComplete.
Nearly every CAPTCHA library is shit, and will break, and you won't be getting any support for it. You're going to write your own anyways, so doit().
-
Here, everyone. Have fun with my test instance:
http://tdwtf.local.lubar.me/articles/comments/Enter_The_Matrix
-
Also, the original reCAPTCHA client project was on Google Code (I saw @PJH in the changelog. Hi, @PJH!)
No idea why - I don't remember actively contributing to the codebase. I was only on the user mailing list for a long while until (after Google acquired them) much needed list moderation became light to non-existent on it, so left.
Still get occasional mails from it due to the broken default reply action being to "mail both user you're replying to and the list" when people find one of my old mails to reply to.
Edit: Wait, WTF was all that encryption stuff for if the API is just "give key to server, get result"?
Fuck knows. Unless it's changed drastically since I last bothered looking at it.
-
-
Here, everyone. Have fun with my test instance:
http://tdwtf.local.lubar.me/articles/comments/Enter_The_Matrix
Getting 500 errors with naughty strings.
-
-
Posted some comments there (I see you saw them). Looking good so far, Ben. Good work.
-
From my system error log:
A potentially dangerous Request.Form value was detected from the client (body="..."'"''''" <foo val=“bar” /> <...").
A potentially dangerous Request.Form value was detected from the client (body="<div class="fa-spin"...").
-
.Net tends to completely shit itself when using anything wysiwyg. Maybe .Net 4+ is better at detecting actually "potentially dangerous" requests. .net 3.5 had so many false positives that the only solution was to turn off page-by-page request checking, and just ensure you harden your code.
-
@Lorne_Kates said:
Nearly everyCAPTCHAlibraryis shit, and will break, and you won't be getting any support for it.You're going to write your own anyways, soDontdoit().
Filed under: post is not can't be empty
-
@Lorne_Kates said:
Nearly everyCAPTCHAlibraryis shit, and will break, and you won't be getting any support for it.You're going to write your own anyways, soDontdoit().
Filed under: post is not can't be emptyreCAPTCHA is the least of all evils. If you have a better system for spam-prevention, this is a RFC thread. Let's hear it.