For the sake of clarity, my proposal to properly filter javascript requires filtering HTML as well. So, yes, if you want to see what is going to happen, go to User Settings and turn on "Filter HTML of monks' homenodes".

My impression is that the allowed tags are already pretty much where they can and should be.

As a first step, we should turn on this setting for AnonyMonk (not as easy at one might guess, since I've tried before and failed). Another attempt is now on the top of my to-do list.

My impression is that the allowed tags are already pretty much where they can and should be.

I guess I'm misremembering, then. I thought we'd discussed allowing a broader range of things on homenodes. I wouldn't be drastically opposed to being restrictive initially, then seeing what people clamor for, but in principle I'd like to see monks have more artistic freedom on their homenode.
--
Online Fortune Cookie Search

My impression is that the allowed tags are already pretty much where they can and should be.

In my previous response, I was assuming you meant just the Perl Monks Approved HTML Tags. I'd forgotten there were the additional tags allowed for homenodes. What are your concerns about external imgs? They'd allow ipaddr logging; is there any other concern?
--
Online Fortune Cookie Search

Cross-site request forgery.

Since most users allow the browser to load images, an external image can be used to trigger an GET request to an arbitrary URL, and the browser sends all session cookies of the target domain to that URL. Without any interaction from the user.

While state change on the server side should not be triggered by GET requests they often are. So it's safer to forbid them.