Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?

RE: Javascript and other evil goodies

by KM (Priest)
on Aug 22, 2000 at 21:28 UTC ( #29056=note: print w/replies, xml ) Need Help??

in reply to Javascript and other evil goodies

Personally, I would rather have JavaScript, Java, ActiveX, Flash, etc.. be stripped before posts to home nodes, or replies. Anything that could possibly be a security issue for the end user should be removed, IMO. Maybe allowing these things (well, not Java or ActiveX things) at higher levels is OK, since by time you are a higher level you have likely earned some 'trust'. Just my $.03


Replies are listed 'Best First'.
(Ovid) RE(2): I voted -- and I am a hypocrite.
by Ovid (Cardinal) on Aug 22, 2000 at 22:05 UTC
    I would just like to make it clear, for the record, that I am a hypocrite. I've complained about anonymous -- votes before, but I couldn't be bothered to post a reason on this particular -- vote. I disagreed with KM's suggestion, voted it --, and moved on. Shame on me.

    The reason I voted id down is because I disagree with the idea that everything but HTML should be stripped from home nodes (on replies, I have no problem with it, but I didn't see that when I voted it down). Basically, a Monk's home node is their personal space (albeit freely granted by The Everything Development Company) and I can understand why they customize it. I can understand these things being security issues, but part of the problem here is striking a balance between diligence and freedom. Let's face it, one of the things that so many people find appealing about Perlmonks is the customization we can do.

    I have CSS on my home node, some have JavaScript, while others have forms that submit to CGI scripts. While I admit that sometimes these things get carried away, I feel that they add to the charm of this site. Yes, let's find ways to address security holes, but don't take away one of the things that makes Perlmonks special.


    Update: Aargh! After reading through some of the comments and seeing some of the stuff that's going on in the chatterbox, I have to say that I was wrong in the above post. Sometimes kids need to have their toys taken away :(

      Basically, a Monk's home node is their personal space (albeit freely granted by The Everything Development Company) and I can understand why they customize it. I can understand these things being security issues, but part of the problem here is striking a balance between diligence and freedom. Let's face it, one of the things that so many people find appealing about Perlmonks is the customization we can do.
      Yes, and my physical home is also my home, but the law prevents me from storing dangerous chemicals or large animals here. It's called "public safety".

      I support free speech, but your right to free speech ends right at my browser, thank you. Browser programmability is unnecessary here at the monastery. If you wanna do that, link to your own website and put stuff there and invite us. I'd like the monastery to be a safe place.

      -- Randal L. Schwartz, Perl hacker

      For me your home node is now a visual booby-trap.

      Should embedded CSS become common, I will have to start consistently avoiding home nodes. If they become used elsewhere on a regular basis, I will stop visiting PM.

      BTW one concern of mine. I use a lot of Netscape. It is very easy to cause serious problems for Netscape without knowing it, and some here do not care. Should that become common, you will lose a lot more than just me...

        I already avoid home nodes. Several load off-site images, some of which are actually documented as being used to track visits to their home node. Several now grab the userpass cookie, one forwarding it to another site (after stripping the password -- last time I checked). I don't want to be the one who finds the first truely nasty home node.

        At least non-home nodes very rarely have any interesting HTML (and those that do usually get voted down -- probably why this is still rare).

        As for home-node buttons that send public chat requests, I thought the first one was cute but got tired of it before I even noticed a second one. I've been waiting for the fad to die but am disappointed so far. I don't mind the buttons that post private messages back to the node's owner (though I wonder what the denial-of-service-attack potential for the node owner or the site is). I particularly like Adam's random node button. Posting private messages back to the button pusher is probably harmless.

        It is ironic that my favorite web site has also become my most worrisome. I'm about to switch to my former paranoid ways of disabling javascript and autoloading of images and only turning them on for the few sites that both become useless without them and are important.

        A compromise did cross my mind. I'd love to see only specific HTML tags allowed in posts and home nodes. Then I could be curious about a monk and not worry about what tricks they might think are cute today...

        But each monk (level 5 and above) could have a "play node" where they can post any HTML they want to. Then you could go look at their tricks with the relative safety of knowing who did it (and that they risked throwing away the time it took them to get to level 5 if they did something truely nasty).

        As for off-site links, the browsers I use make it easy to see where a link is going before I click on it. Plus, there are plenty of legitimate reasons to have an off-site link in a post or home node. So I'd not ban those.

                - tye (but my friends call me "Tye")
        Along these lines I think a possible solution would be to give the user the choice of what to filter out.

        In their settings page, give them options to filter out the following:

        • Javascript
        • CSS
        • Font customizations
        • advanced tags (<layer>, <embed>, <iframe>, etc...) # personally I would remove these all the time
        • other tags...
        • user customized tag entry

        Perhaps each of these could even be set via a dropdown. Where the dropdown contains the minimum level of monk you want the tags to be enabled for.

      That's what we need more of in Discussion threads, actual discussion. Simply voting -- doesn't lend anything to the topic. In the midst of various opinions and ideas is usually a good compromise and solution.

      I agree that a home node is a personal space, per se. But, it can be exploited. I don't want to check out someones home node (like a new users) and have a barage of windows opening, or be stuck in some Yes/No dialog box loop. Or have someone setting cookies, etc... We have various privileges at certain levels, and maybe using CSS and JavaScript should be privileges. I still think anything like Java apps or ActiveX should be disallowed. Use those things on your own pages off of this site (IMO).

      Let's keep the charm, but keep down the (possible) harm.


        I find that interesting--the allowance for additional priviledges. The only priviledges I am aware of (I don't know where a list is to be found) is at level 5 you can post a picture, at level 10 you can approve nodes for posting, but at level 5 you lose your bonus for casting all your votes.

        It might make for interesting discussion as to what some monks suggest as to new priveledges. Maybe:
        • An option for random pictures in home nodes at level 7
        • Regular columns for the top ranking saints
        • Doing away with the "Think Geek" banner at level 2 :)
        Just some ideas. I am sure there are more out there.
      There is a difference between a poorly written node and node you dont agree with.

      I was under the impression that you voted down poorly written nodes, not those that you disagree with.

        Only rarely, but I do use -- votes for clearly incorrect nodes that I felt showed a lack of willingness to learn something I thought was important. Something that should have been obvious from what else was going on. (Such as the surrounding conversation.)

        So I vote down nodes almost entirely on content.

        BTW I use a similar (though far more generous) criteria for ++ votes...

        Ugh. The "similar" comment is unclear. :-(

        I meant that I vote nodes up based almost entirely on content. I am particularly generous when it is something that I thought was important, or something that I learned from.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://29056]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (3)
As of 2023-03-28 23:49 GMT
Find Nodes?
    Voting Booth?
    Which type of climate do you prefer to live in?

    Results (70 votes). Check out past polls.