discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Al Beano <albino AT autistici.org>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] This is my %#$ rant
- Date: Tue, 12 Sep 2017 07:19:54 +0100
What about [b onclick="myevilscript()"]?
Use a proper BBCode library, there's scope for so much to go wrong if you do
it yourself.
On 12 September 2017 04:21:34 BST, "Dmitry S. Nikolaev" <dn AT mega-net.ru>
wrote:
>If you want to allow to use HTML tags, so do it by replacement to
>bbcodes.
><b>to [b]
><div> to [div]
>and so on + always use htmlspecialchars function on all user input.
>
>It`s safe to use this way.
>
>
>With best regards, Dmitry S. Nikolaev
>
>Moscow, Russia
>phone: +7 (499) 678 8007 [ext. 6003]
>fax: +7 (499) 678 8007 [ext. 7777]
>www: http://www.mega-net.ru
>mail: dnikolaev AT mega-net.ru
>SIP URI: dnikolaev AT sip.mega-net.ru || dn AT sip.mega-net.ru
>
>On 11.09.2017 20:31, Jeff Taylor wrote:
>> Perhaps, but my mind went to basic HTML tags like <b> and <div>...
>> sure you can enter styles and screw with the page formatting, but
>> otherwise there's nothing dangerous there.
>>
>> Also... was sick, still sick, wasn't thinking clearly. So as I said,
>> never assume anything is 'obvious'.
>>
>>
>> On 09/11/2017 10:58 AM, Al Beano wrote:
>>> If <marquee> tags are available should it not follow that <script>
>tags and other JS attributes are also allowed?
>>>
>>> On 11 September 2017 17:55:12 BST, Jeff Taylor
><shdwdrgn AT sourpuss.net> wrote:
>>>> I appreciate the offer. It's not really a matter of not being
>*able*
>>>> to
>>>> fix it, I'm fairly fluent in PHP and its shortcomings in many of
>its
>>>> functions that don't quite live up to their names, it's more a
>matter
>>>> of
>>>> having the problem pointed out to me. If someone had just said
>"hey we
>>>>
>>>> can enter <script> tags in the fields", it would have immediately
>>>> clicked that yes, this is a very very bad thing, and I would have
>>>> locked
>>>> it down right away.
>>>>
>>>>
>>>> On 09/11/2017 02:04 AM, Dmitry S. Nikolaev wrote:
>>>>> Hi Jeff.
>>>>>
>>>>> First of all get well and be healthy.
>>>>>
>>>>> I did not quite understand who did and what did, but I understood
>>>> that
>>>>> someone hack something.
>>>>> I dont see any discussion about it.
>>>>>
>>>>> If it is PHP code, so maybe I can help you. Write if you need
>help.
>>>> We
>>>>> will see what we can do.
>>>>>
>>>>> Good luck !
>>>>> With best regards, Dmitry S. Nikolaev
>>>>>
>>>>> Moscow, Russia
>>>>> phone: +7 (499) 678 8007 [ext. 6003]
>>>>> fax: +7 (499) 678 8007 [ext. 7777]
>>>>> www:http://www.mega-net.ru
>>>>> mail:dnikolaev AT mega-net.ru
>>>>> SIP URI:dnikolaev AT sip.mega-net.ru ||dn AT sip.mega-net.ru
>>>>> On 11.09.2017 07:52, Jeff Taylor wrote:
>>>>>> Last night I got an ear infection plus bad acid reflux and didn't
>
>>>>>> hardly sleep at all. So you can imagine my state of mind when I
>got
>>>>>> up this morning to find a discussion between T1 and T2 operators
>>>>>> talking vaguely about an exploit they found in the servers page,
>and
>>>>>> the page itself broken and not providing usable info. It took me
>
>>>>>> quite awhile to dig through everything and determine exactly what
>>>> was
>>>>>> done and start working towards repairing the intentional damage.
>>>>>>
>>>>>> OK, it's a fair point that I didn't properly sanitize the input.
>
>>>>>> However we're talking about a page that has been online for the
>past
>>>>>> two years without any problems, but for some reason you decided
>that
>>>>>> immediate action must be taken right this very second. And not a
>
>>>>>> single one of you assholes had the courtesy to even send me a PM
>to
>>>>>> say "hey we found this problem in your page and these are the
>>>> actions
>>>>>> we took." Seriously, I know some of you newcomers are in your
>>>> teens,
>>>>>> but do you really have to ACT like it? This is a community
>project,
>>>>>> it exists because people in the past have worked *together* to
>solve
>>>>>> problems. It's not a hacking contest to see who can blow up each
>>>>>> other's contributions.
>>>>>>
>>>>>> There have been a lot of complaints about my code in the past.
>Yes I
>>>>>> write in Bash and PHP, and yes my code isn't going to be the
>easiest
>>>>>> to read. There's also the constant complaints that I don't post
>my
>>>>>> code on repo-of-the-week, which I've discussed several times on
>IRC
>>>>>> but nobody seems to care. Just how many 'official'
>source-hosting
>>>>>> pages has opennic been through? We've been in sourceforge, but
>we
>>>>>> don't trust them now. What was the one that did SVN? And of
>course
>>>>>> there's the numerous local repos that people have run over the
>years
>>>>>> which up and disappear one day without warning. I've submitted a
>
>>>>>> fair chunk of my code at least twice. And poof, there's no
>evidence
>>>>>> remaining that it ever existed.
>>>>>>
>>>>>> I have limited time to work on opennic, but I've churned out an
>>>>>> incredible amount of code for the project over the years. There
>is
>>>>>> very little of opennic's infrastructure that I haven't had a hand
>in
>>>>>> or written completely from scratch. Everybody that comes through
>
>>>>>> always has their own ideas on how things should be done, what
>>>> changes
>>>>>> need to be made, and yet almost none of those people have
>actually
>>>>>> contributed anything. Opennic owes its very existence to those
>few
>>>>>> people such as myself who have dedicated months or years of
>>>>>> programming time to provide the services that everyone else uses
>on
>>>> a
>>>>>> daily basis. There is a huge amount of code in the background
>that
>>>> I
>>>>>> personally own and have to troubleshoot when things go wrong. I
>>>>>> spend what time I can either fixing the larger problems or trying
>to
>>>>>> set up new code to provide features. I have dedicated time
>nearly
>>>>>> daily to making sure things run smoothly or fixing whatever is
>>>>>> broken, and the thanks I get is "hey lets fuck up his shit and
>see
>>>>>> how long it takes him to figure it out." Real mature.
>>>>>>
>>>>>> If anyone wants a copy of my working code, I have always been
>happy
>>>>>> to provide it. It may take me some time to get it together, but
>>>> I've
>>>>>> always given it. And I would love to have others help clean
>things
>>>>>> up, especially the registrar code behind reg.for.free.
>>>> Unfortunately
>>>>>> the only feedback I have ever gotten is "I don't like your
>standard
>>>>>> use of single- and double-quotes... here's a rewrite to quote
>things
>>>>>> MY way." I don't have time to keep learning a new repo system
>every
>>>>>> year or two and I no longer have the patience to care, but if
>>>> someone
>>>>>> else wants to do the deed I've already mentioned many times that
>I
>>>> am
>>>>>> happy to help work with them.
>>>>>>
>>>>>> I've been thinking about this all day and I'm still pissed, and
>>>>>> apparently still can't even coherently express my frustration, so
>>>> let
>>>>>> me summarize... Grow the fuck up and learn how to actually work
>with
>>>>>> other people who are in different times zones. People have
>pointed
>>>>>> out bugs in my code before, and I almost always get them fixed
>>>> within
>>>>>> a day or two. Yeah I make mistakes, I know this and I know
>enough
>>>> to
>>>>>> understand the problem when they are pointed out, assuming you
>>>>>> actually give me the chance.
>>>>>>
>>>>>>
>>>>>> --------
>>>>>> You are a member of the OpenNIC Discuss list.
>>>>>> You may unsubscribe by
>>>> emailingdiscuss-unsubscribe AT lists.opennicproject.org
>>>>>
>>>>>
>>>>> --------
>>>>> You are a member of the OpenNIC Discuss list.
>>>>> You may unsubscribe by emailing
>>>> discuss-unsubscribe AT lists.opennicproject.org
>>>>
>>>>
>>>>
>>>>
>------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>> --------
>>>> You are a member of the OpenNIC Discuss list.
>>>> You may unsubscribe by emailing
>>>> discuss-unsubscribe AT lists.opennicproject.org
>>>
>>>
>>> --------
>>> You are a member of the OpenNIC Discuss list.
>>> You may unsubscribe by emailing
>discuss-unsubscribe AT lists.opennicproject.org
>>
>>
>>
>>
>> --------
>> You are a member of the OpenNIC Discuss list.
>> You may unsubscribe by emailing
>discuss-unsubscribe AT lists.opennicproject.org
>
>
>
>------------------------------------------------------------------------
>
>
>
>--------
>You are a member of the OpenNIC Discuss list.
>You may unsubscribe by emailing
>discuss-unsubscribe AT lists.opennicproject.org
- Re: [opennic-discuss] This is my %#$ rant, (continued)
- Re: [opennic-discuss] This is my %#$ rant, Al Beano, 09/11/2017
- Re: [opennic-discuss] This is my %#$ rant, Jeff Taylor, 09/11/2017
- Re: [opennic-discuss] This is my %#$ rant, Dmitry S. Nikolaev, 09/11/2017
- Re: [opennic-discuss] This is my %#$ rant, Jeff Taylor, 09/11/2017
- Re: [opennic-discuss] This is my %#$ rant, Al Beano, 09/11/2017
- Re: [opennic-discuss] This is my %#$ rant, Mitch Roote, 09/11/2017
- Re: [opennic-discuss] This is my %#$ rant, Jeff Taylor, 09/11/2017
- Re: [opennic-discuss] This is my %#$ rant, Daniel Shirley, 09/11/2017
- Re: [opennic-discuss] This is my %#$ rant, Jeff Taylor, 09/11/2017
- Re: [opennic-discuss] This is my %#$ rant, Jeff Taylor, 09/11/2017
- Re: [opennic-discuss] This is my %#$ rant, Dmitry S. Nikolaev, 09/12/2017
- Re: [opennic-discuss] This is my %#$ rant, Al Beano, 09/12/2017
- Re: [opennic-discuss] This is my %#$ rant, Dmitry S. Nikolaev, 09/12/2017
- Re: [opennic-discuss] This is my %#$ rant, Al Beano, 09/12/2017
- Re: [opennic-discuss] This is my %#$ rant, Dmitry S. Nikolaev, 09/12/2017
- Re: [opennic-discuss] This is my %#$ rant, Al Beano, 09/12/2017
- Re: [opennic-discuss] This is my %#$ rant, Dmitry S. Nikolaev, 09/12/2017
- Re: [opennic-discuss] This is my %#$ rant, Mitch Roote, 09/11/2017
- Re: [opennic-discuss] This is my %#$ rant, Al Beano, 09/11/2017
- Re: [opennic-discuss] This is my %#$ rant, Jeff Taylor, 09/11/2017
- Re: [opennic-discuss] This is my %#$ rant, Dmitry S. Nikolaev, 09/12/2017
- Re: [opennic-discuss] This is my %#$ rant, Al Beano, 09/11/2017
Archive powered by MHonArc 2.6.19.