Javascript and other evil goodies

Since I am firmly in the expose, don't hide camp, I would like to bring up a discussion about the fact the nodes on this site are editable by third parties. Not only can text be added, but annoying HTML markup and even javascript, which can be used to grab things that should not be (e.g. cookie info). How do we limit this? Nobody has a really malicious home node or post that I know of right now (although some log you out, which I find really rude), but it would be fairly easy to create a simple link in a post that would do Bad Things.

Perhaps we could limit HTML to simple things, like A, LI, OL, UL, etc. and only allow more advanced and/or easily abused things like FONT H1 SCRIPT to higher levels?

Comment on Javascript and other evil goodies

Replies are listed 'Best First'.
RE: Javascript and other evil goodies by Adam (Vicar) on Aug 22, 2000 at 21:49 UTC
This is a problem that should be solved with a scalpel, not a battle ax. One of the things that makes this site fun is its flexability and creativity. We should not remove all of javascript just because it can be used to read cookies, we should just remove document.cookie. What we need is something that checks a post for validity and returns to the user with the post and the message, "This post is invalid, it uses forbidden blah blah blah" or something.	[reply]
RE: Javascript and other evil goodies by merlyn (Sage) on Aug 22, 2000 at 21:27 UTC
And just to thwart it further, it has to be valid XHTML, so closing tags are not optional and attribute values have to be quoted. only half smiley, but it'd make validating against a DTD of permitted items fairly easy. -- Randal L. Schwartz, Perl hacker	[reply]
RE: Javascript and other evil goodies by le (Friar) on Aug 22, 2000 at 21:29 UTC
I think this is a good idea, but I don't want evil tags be used only by higher level monks. This is something like "All animals are equal, but some are more equal." I would only allow more or less harmless tags like A, I, B, lists a.s.o., for everybody here, regardless of level.	[reply]
RE: RE: Javascript and other evil goodies by nuance (Hermit) on Aug 23, 2000 at 00:02 UTC
I don't agree, there are lots of things that we only trust higher level monks with. There's no reason why this shouldn't be another one. *Nuance*	[reply]
RE: Javascript and other evil goodies by t0mas (Priest) on Aug 23, 2000 at 14:52 UTC
Some thougts of mine in this discussion (thanks for bringing it up turnstep): The Monastery Gates is in a bad neighbourhood called The Internet. On the internet there are all sorts of stuff, some bad, some good. Everyone knows that, and most people tolerate it or don't care. If you think of this site as a part of the internet, you'll be fine but if you try to think of it as your local network, you'll be lost. The "problem" with PM is that you start feeling at home here, and you would like it to be your local network :) Monks care when other monks get yelled at/downvoted without proper reasons and we have had much of those discussions the past few months. That's a good thing and nothing you'll see on many other sites around. The question that arises here is wether or not, and to what degree, we want to let the Internet mentality enter The Monastery Gates. Is it possible to have a place like PM in our neighbourhood? I don't know. On the Internet, I don't go to sites with annoying HTML markup or embedded MIDI music (how can anyone like that!) and I disable JavaScript, ActiveX, etc. when I enter an unknown/distrusted site. Or use Lynx. In the PM site, I don't push those home node buttons and I would stop vistitng home nodes with broken HTML or other irritating content. The thing that I really would dislike would be if something happened behind my back, e.g. onLoad="make_t0mas_annoyed();", out of my control... A node with such content would be a clear candidate for Nodes To Consider and deletion IMO. A rule would make me happy: Nothing on the PM site is supposed to happen without me saying so. If I click on a "Please erase my disk" button - it's my fault, but if I get the disk erased without saying so, I would get mad. I actually like JavaScript and good use of HTML tags, they can make page shine a bit brigher, and I advocate their use. And I believe that the golden rule still stands: Do to others what you would have them do to you. /brother t0mas	[reply]
RE: Javascript and other evil goodies by KM (Priest) on Aug 22, 2000 at 21:28 UTC
Personally, I would rather have JavaScript, Java, ActiveX, Flash, etc.. be stripped before posts to home nodes, or replies. Anything that could possibly be a security issue for the end user should be removed, IMO. Maybe allowing these things (well, not Java or ActiveX things) at higher levels is OK, since by time you are a higher level you have likely earned some 'trust'. Just my $.03 Cheers, KM	[reply]
(Ovid) RE(2): I voted -- and I am a hypocrite. by Ovid (Cardinal) on Aug 22, 2000 at 22:05 UTC
I would just like to make it clear, for the record, that I am a hypocrite. I've complained about anonymous -- votes before, but I couldn't be bothered to post a reason on this particular -- vote. I disagreed with KM's suggestion, voted it --, and moved on. Shame on me. The reason I voted id down is because I disagree with the idea that everything but HTML should be stripped from home nodes (on replies, I have no problem with it, but I didn't see that when I voted it down). Basically, a Monk's home node is their personal space (albeit freely granted by The Everything Development Company) and I can understand why they customize it. I can understand these things being security issues, but part of the problem here is striking a balance between diligence and freedom. Let's face it, one of the things that so many people find appealing about Perlmonks is the customization we can do. I have CSS on my home node, some have JavaScript, while others have forms that submit to CGI scripts. While I admit that sometimes these things get carried away, I feel that they add to the charm of this site. Yes, let's find ways to address security holes, but don't take away one of the things that makes Perlmonks special. Cheers, Ovid Update: Aargh! After reading through some of the comments and seeing some of the stuff that's going on in the chatterbox, I have to say that I was wrong in the above post. Sometimes kids need to have their toys taken away :(	[reply]
RE: (Ovid) RE(2): I voted -- and I am a hypocrite. by merlyn (Sage) on Aug 22, 2000 at 22:13 UTC
Basically, a Monk's home node is their personal space (albeit freely granted by The Everything Development Company) and I can understand why they customize it. I can understand these things being security issues, but part of the problem here is striking a balance between diligence and freedom. Let's face it, one of the things that so many people find appealing about Perlmonks is the customization we can do. Yes, and my physical home is also my home, but the law prevents me from storing dangerous chemicals or large animals here. It's called "public safety". I support free speech, but your right to free speech ends right at my browser, thank you. Browser programmability is unnecessary here at the monastery. If you wanna do that, link to your own website and put stuff there and invite us. I'd like the monastery to be a safe place. -- Randal L. Schwartz, Perl hacker	[reply]
RE (tilly) 3: I voted -- and I am a hypocrite. by tilly (Archbishop) on Aug 22, 2000 at 22:35 UTC
For me your home node is now a visual booby-trap. Should embedded CSS become common, I will have to start consistently avoiding home nodes. If they become used elsewhere on a regular basis, I will stop visiting PM. BTW one concern of mine. I use a lot of Netscape. It is very easy to cause serious problems for Netscape without knowing it, and some here do not care. Should that become common, you will lose a lot more than just me...	[reply]
Avoiding home nodes by tye (Sage) on Aug 22, 2000 at 23:04 UTC
RE: RE (tilly) 3: I voted -- and I am a hypocrite. by bastard (Hermit) on Aug 23, 2000 at 18:34 UTC
RE (tilly) 5: I voted -- and I am a hypocrite. by tilly (Archbishop) on Aug 23, 2000 at 18:58 UTC
Some notes below your chosen depth have not been shown here
RE: (Ovid) RE(2): I voted -- and I am a hypocrite. by KM (Priest) on Aug 22, 2000 at 22:19 UTC
That's what we need more of in Discussion threads, actual discussion. Simply voting -- doesn't lend anything to the topic. In the midst of various opinions and ideas is usually a good compromise and solution. I agree that a home node is a personal space, per se. But, it can be exploited. I don't want to check out someones home node (like a new users) and have a barage of windows opening, or be stuck in some Yes/No dialog box loop. Or have someone setting cookies, etc... We have various privileges at certain levels, and maybe using CSS and JavaScript should be privileges. I still think anything like Java apps or ActiveX should be disallowed. Use those things on your own pages off of this site (IMO). Let's keep the charm, but keep down the (possible) harm. Cheers, KM	[reply]
Re: RE: (Ovid) RE(2): I voted -- and I am a hypocrite. by Petras (Friar) on Feb 12, 2003 at 03:02 UTC
Re: Doing away with banner by OfficeLinebacker (Chaplain) on Mar 09, 2007 at 05:14 UTC
Re^5: I voted -- and I am a hypocrite. by Aristotle (Chancellor) on Feb 15, 2003 at 18:01 UTC
Some notes below your chosen depth have not been shown here
RE: (Ovid) RE(2): I voted -- and I am a hypocrite. by princepawn (Parson) on Aug 22, 2000 at 22:58 UTC
There is a difference between a poorly written node and node you dont agree with. I was under the impression that you voted down poorly written nodes, not those that you disagree with.	[reply]
What I vote down by tilly (Archbishop) on Aug 22, 2000 at 23:02 UTC
RE: Javascript and other evil goodies by athomason (Curate) on Aug 22, 2000 at 22:00 UTC
I'll second the proposal with some reservations. First, a good definition of "unsafe tags" needs to be nailed down. I'm not sure what's allowed right now since I haven't submitted a broken post recently, but in theory even a stray `</table>` tag can cause trouble (anybody ever seen roblimo italicize an entire conversation?). Some of you might remember the CERT advisory on this very issue a few months ago. The range is extreme: obviously links to applets and ActiveX controls are dangerous, but what about malformed tables? Image tags linking to 800KB graphics? Forms? Also, "higher levels" should be a pretty conservative mark, I'd say around 3-4 at most. That keeps the AM trolls from doing damage without discouraging any newbies trying to post something fancy.	[reply] [d/l]
RE: Javascript and other evil goodies by mikfire (Deacon) on Aug 22, 2000 at 21:49 UTC
I agree with the learned brethren's comments, but I am uncertain it will work. I use href tags ( referring to other nodes on the site, referring to places not on the site, etc ) a lot. Once we allow href tags, do we really have any security? Can you write a parser that can tell the difference between me referring to myself ( like my sig ), using a mailto: tag ( several people like the "send email to x" sig ) and logging people out? mikfire	[reply]
RE: RE: Javascript and other evil goodies by turnstep (Parson) on Aug 23, 2000 at 14:43 UTC
This is perlmonks! If anyone can write a good perl script and/or a really interesting/efficient/accurate regular expression, we can! A parser to tel the difference between `http://www.perlmonks.org` and others, and only allow selective. No problem! :)	[reply]

Back to Perl Monks Discussion