IMO, the most valuable lesson we can pull from mousey's little mini-exploit is to filter homenode HTML positively ("allow only safe elements") rather than negatively ("deny only the unsafe elements that we thought of").

And now, the less valuable lesson, all IMHO:

<soapbox>

Both here and in the chatterbox, I've seen mousey's exploit criticized for irreverance ("Monk pics are a way of honouring committed members! mousey's denigrating that!"), for irresponsible disclosure ("mousey's found a way around an XSS/Javascript attack filter and is encouraging blackhats to use it!"), or just for breaking the rules ("mousey broke the rules! Don't break the rules! They're the rules! Rules! Baa! Baa! Baa!").

That's not my read on the situation at all.

From mousey's original post, and from what he actually did with the vuln he found, I see his attitude as (naive) exuberance: "hey, cool, you can get around the no-images-before-level-5 filter with a crufty HTML hack!" That "hey, cool" attitude is central to hackerdom; without scruffy programmers doing the unexpected, we'd all be grinding out COBOL, JCL, and PL/I for a living on massive time-sharing systems from IBM. We need to protect that attitude, and nurture it, not restrict and ostracize it.

</soapbox>

--
F o x t r o t U n i f o r m
Found a typo in this node? /msg me
The hell with paco, vote for Erudil!

In reply to Re(3) Images under Level 5 by FoxtrotUniform
in thread Images under Level 5 by mousey

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.