monkdiscuss
turnstep
<P>Since I am firmly in the
<A HREF="http://www.securityfocus.com/forums/bugtraq/faq.html"
>expose, don't hide</A> camp, I would like to bring up a
discussion about the fact the nodes on this site
are editable by third parties. Not only can text be added,
but annoying HTML markup and even javascript, which can
be used to grab things that should not be (e.g. cookie
info). How do we limit this? Nobody has a really malicious
home node or post that I know of right now (although some
log you out, which I find really rude), but it would
be fairly easy to create a simple link in a post that
would do Bad Things.</P>
<P>Perhaps we could limit HTML to simple things, like
A, LI, OL, UL, etc. and only allow more advanced and/or
easily abused things like FONT H1 SCRIPT to higher levels?</P>
<!-- Disclaimer: Yes, I use javascript on my home node.
It grabs the monks username from the cookie, so I can
keep the card playing fairly honest. Easily removed,
though, without any griping. I will follow any policy
enacted by consensus and/or the Powers That Be.
-->