When you comment on a story, ask yourself this question: does my comment add value to the thread? If the answer isn't a definite "yes", consider modifying it until it does, or scrap it all together. It'll help keep the value of the conversation high.
It would probably be a huge security risk just to visit the demo page if people weren't constantly pasting over each other with "MY PENIS" in HTML/CSS/JS
edit2- No proof of any security risks, not like I tried any
Looks like you're being hacked really bad. I got redirected to Google! It was fun to watch though! Add <iframe sandbox="allow-forms"> and you'll disable javascript. Good fast fix for now, later you'll want sandbox="allow-scripts allow-forms allow-same-origin"
The 4th allowed value for html5 iframe sandbox is allow-top-navigation, which allows a script to do window.top.location.href = 'http://google.com and redirect someone like me.
I was reading a 2chan thread earlier today about video game related sites with absurd amounts of detailed research about the game (ROM level information, random number table information, etc), and a surprising number of them were on geocities.
I would recommend doing something about the demo page. It is going to give people a bad first impression of the tool even if it is awesome.
Maybe either turn off collaboration (which would greatly detract from the value of the demo, I know), or limit things like linking to outside images, Javascript alerts, and more malicious things. With how often everything gets overwritten, it's not as though anyone is going to be able to do anything complex that requires any of those things anyway.
When I redefined alert to return false, it crashed Chrome pretty bad (note: I am not the owner).
If someone really feels like policing it, they can delete the iframe element (in FF, chrome, or opera) and just have access to the editor panes (which means no alerts, redirects, or other nastiness). I'm sure someone can figure out how to write a javascript snippet that will post some text that has been cleaned of all instances of "window.location", "alert", and probably "while". (I would do it myself, but it's 1am here).
I put in return false; and it did nothing (using Chrome v22.0.1229.56 beta-m). You wouldn't want to return false anyways, alert is not defined as returning a value (see: https://developer.mozilla.org/en-US/docs/DOM/window.alert)
If you want to see what arguments are being passed, add a console.dir(arguments); to the code.
46 comments
[ 3.9 ms ] story [ 106 ms ] threadEDIT: better dummy conversation
Some highlights:
window.top.location.href = 'http://www.troll.com;
function troll() { alert('troll'); troll(); } troll();
I was just observing, didn't know I was stumbling on a live canvas when I clicked the link :)
Poor are those who have no way to block alerts tho.
edit2- No proof of any security risks, not like I tried any
The 4th allowed value for html5 iframe sandbox is allow-top-navigation, which allows a script to do window.top.location.href = 'http://google.com and redirect someone like me.
Maybe either turn off collaboration (which would greatly detract from the value of the demo, I know), or limit things like linking to outside images, Javascript alerts, and more malicious things. With how often everything gets overwritten, it's not as though anyone is going to be able to do anything complex that requires any of those things anyway.
But nice to see how all the trolls play... Maybe this is a real good idea... A contest battelfield for trolls... (as a game)
If someone really feels like policing it, they can delete the iframe element (in FF, chrome, or opera) and just have access to the editor panes (which means no alerts, redirects, or other nastiness). I'm sure someone can figure out how to write a javascript snippet that will post some text that has been cleaned of all instances of "window.location", "alert", and probably "while". (I would do it myself, but it's 1am here).
If you want to see what arguments are being passed, add a console.dir(arguments); to the code.
Either do it properly or not at all.
As usual, as soon as HNers are no longer on HN proper, the inner troll comes out.