Can we just get rid of the 'disable JavaScript on homenodes' option until it works? The placebo effect (i.e. 'the power of suggestion') is psychological. It has no effect on computers. A function must actually be implemented before it can have an effect.
When the checkbox does not do what it says it does, it widens the security hole that JavaScript presents. It leads people to believe they're protected, when they are only sheltered from the most obvious way of carrying out the 'threat.'

Maybe it should say something like...
"Disable <script> tags and comment out their contents on home nodes. This may make you feel good, but will not actually protect you."

...at least until it can actually disable JavaScript.
Yes, I'm aware that it's difficult to filter JavaScript in all of its forms.

Update:Browsers that run the script on Pertruchio's homenode:

• MSIE 5.1.3 (MacOS X)
• Opera 5.03b393 (Mac OS X)
• MSIE 5.50.4807.2300 (Win 2000)
• Netscape 4.08 (Win 2000)

s!!password!;y?sordid?binger?;y.paw.mrk.;
print chr 0x5b;print;print chr(0x5b+0x2);
[download]

Please explain to me what JavaScript is still executed from Petruchios page. The onLoad() event is not fired in my browser. What am I missing?

Update: I'm using Mozilla 0.9.9 under Win32 here. (I'll try with Mozilla 0.9.8 under Linux at home later.)

My settings are:

• Enable JavaScript for Navigator but not for Mail and News.
• Allow web pages to do <everything> except open unrequested windows


Update 2:
I found it! I do not allow loading of images from other sites than the host of the page, which is why Petruchios image doesn't load. And thereby why the onLoad() event doesn't get fired off.

Thereby I understand how JavaScript is still a threat on Petruchios home node. (And potentially others too.)



---

Everything went worng, just as foreseen.

If I remove perlmonks from my list of 'restricted sites' in MSIE (it's in there only to disable JavaScript), I get a dialog box that shows the value of my perlmonks cookie, and warns me that it could just as easily have been stored somewhere, and my account stolen.

Looking at the source, his picture of a jelly donut has an onload handler that pops up the alert box.

Is your browser set to disable JavaScript at some level? I wonder if it's a browser-specific issue. I'll check a few others and post an update to my original node above with findings.

Update: Works also with
• Opera 6.0b1 (Linux)
• Opera 6.0b1 (Windows 2000/XP/98)
  
  Anyway it's not about you browser... In other words, i confess - i don't like JavaScript anyway ;-) and IMHO the best solution to prevent such attacks is to completly turn the JavaScript off (or use a browser that doesn't support it)!
  
  Trying to secure servers, making them refuse to accept such input is ok, but it reminds me the way the viruses evoluated - some people were trying to secure the software, while the others tried to walk around that security improvements. And what to say... it happens all the time!
  Besides there is another problem - if something has beed invented and people were told that tit was invented for them, then how to explain your *customer* (or even any of your users) that they can't use it right here - at this site, becouse somebody used it wrong way... Will (s)he understand?! I'm afraid - no :-(
  
  BTW (Off-Topic). A few days ago i've got almost killed by a genius 'WebMASTER' who told his customer "... it won't look god in red... besides there is no red color in the Internet". ROTFL ;-)
  
  Greetz, Tom.