Users' home nodes should have filtered HTML (unconditionally) so that much worse cross-site scripting attacks are not possible. I find the site allowing this to be done is a more serious problem than this mildly annoying (the CB postings from buttons have been more annoying so far, in my experience) use of it.
The (poorly named) "really paranoid" setting in user settings filters home-node HTML much like is already done everywhere else on PerlMonks. This is the only way to eliminate the potential for cross-site scripting attacks, which can be destructive but haven't been yet.
There are a couple of imperfections in the current implementation of home-node HTML filtering that will eventually be addressed (and will then also prevent a few javascript exploits that are still possible outside of home nodes).
This filtering just needs to become mandatory. Supporting cross-site scripting attacks just doesn't make sense to me. I'm thankful that demerphq put up home node HTML filtering and I now mostly feel safe visiting home nodes.
Then we won't have to "deal with" the possibility that one person might register at PerlMonks who is both anti-social and knows a tiny bit of JavaScript, no matter how remote some would like to think this possibility should be. (Not that I have any proof that one or more people haven't already been silently collecting PerlMonks passwords waiting for the right moment to exploit them for some mayhem.)
- tye
In reply to Re^2: Has a line been crossed by this user (filtering)
by tye
in thread Has a line been crossed by this user
by PhilHibbs
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |