Ex-Image Formatting
November 18, 2006 4:21 PM   Subscribe

[filthy.gif]
posted by econous at 4:29 PM on November 18, 2006

[photo of someone dental flossing his ears]
posted by pyramid termite at 4:32 PM on November 18, 2006

Hi!
posted by Ceiling Cat at 4:36 PM on November 18, 2006

Holy crap', it's Ceiling Cat!
posted by yeoz at 4:48 PM on November 18, 2006

I think the current filtering code was a quick hack in response to mock's XSS demo, and that Matt is working on proper parsing code.
posted by Rhomboid at 4:54 PM on November 18, 2006

Just hyperlink 'em. Using the FF extension Text to Image totally rocks and solves the problem.
posted by moonbird at 4:57 PM on November 18, 2006

Um, you're missing the point of this post entirely.
posted by Rhomboid at 4:59 PM on November 18, 2006

Problem is that IMG tag works in Live Preview, but not in normal preview or a post.
posted by smackfu at 5:20 PM on November 18, 2006

yeah, it was just a quick xss fix. I'll clean it up.

Also, if anyone has an idea how to filter the img tag from the live preview, that'd be good.
posted by mathowie (staff) at 5:21 PM on November 18, 2006

Problem is that IMG tag works in Live Preview, but not in normal preview or a post.

Live preview doesn't do any filtering at all. You can do all sorts of nastiness there (< SCRIPT>, CSS styles, etc) that will be filtered out when you post. So the IMG tag isn't unique at all there.
posted by Rhomboid at 5:34 PM on November 18, 2006

Also, if anyone has an idea how to filter the img tag from the live preview, that'd be good.

You could try instead of this:

if(isIE){ getEl("prevDiv").innerHTML="<div>"+getEl("comment").value.replace(/(\n|\r)/g,'<br/>').replace(/(<br\/><br\/>)/g,'<br/>')+"</div>" }
else{ getEl("prevDiv").innerHTML="<div>"+getEl("comment").value.replace(/(\n|\r)/g,'<br>')+"</div>" }

Something like this:

html="<div>"+getEl("comment").value.replace(/(\n|\r)/g,'<br>').replace(/<\s*img[^>]+>/gi, "[IMG tag disabled]");
getEl("prevDiv").innerHTML = isIE ? html.replace(/(<br\/><br\/>)/g,'<br/>') : html;

This is far from bulletproof in that it does tag replacement with a RE but it doesn't matter too much since it's just for preview, the real filtering is still done server-side.
posted by Rhomboid at 5:50 PM on November 18, 2006

I know I missed it when it happened but why did the img tag get axed in the first place? Just wondering.
posted by iconjack at 6:27 PM on November 18, 2006

We were having too much fun with it, so Matt took it away.
posted by interrobang at 6:30 PM on November 18, 2006

I know I missed it when it happened but why did the img tag get axed in the first place? Just wondering.

Good question! Why don't you make a MetaTalk post about it?
posted by timeistight at 6:38 PM on November 18, 2006 [1 favorite]

No, no, interrobang. It's because crunchland's bitching finally worked. Take it as a lesson: if you bitch long enough, you will win. But you have to be really committed. Try it out!
posted by dame at 6:43 PM on November 18, 2006

Can someone explain it to me what EXACTLY we are protecting ourselves from by blocking images (besides, you know, the guy fucking a chicken)?

That's about it, right?
posted by taosbat at 7:10 PM on November 18, 2006

That was the excuse, yeah.
posted by interrobang at 7:15 PM on November 18, 2006

God, I miss that dancing squirrel playing a harmonica.
posted by Alvy Ampersand at 7:22 PM on November 18, 2006

Also, since this thread's original issue has been adressed and I'm pretty sure another Yeah Pix!/Nay Pix! thread isn't all that necessary, let's discuss this thread.

An interesting and heartbreaking story, the thread is marred by the usual sanctimony and indignance pissing contests.
posted by Alvy Ampersand at 8:14 PM on November 18, 2006

Self righteousness is a defining feature of metafilter. Fistulas are less entertaining.
posted by econous at 8:23 PM on November 18, 2006

Live preview doesn't do any filtering at all.

and thus, though i didn't think it was possible, becomes even less live and less a preview. mefi is such grand entertainment sometimes!
posted by quonsar at 8:46 PM on November 18, 2006

Since you're already stripping out the image tag code (like on this post), why not either change it to a link or drop the whole line entirely? The code that's left is unsightly.

Ok, I'll get right on that. Oh, wait, you weren't addressing me. Hmm, I guess I somehow must have stumbled upon a private email exchange... No, wait, it's on the front page of MeTa. Hmm, must be that fancy new 2nd person perspective that everyone is talking about on the intertubes.
posted by blue_beetle at 8:51 PM on November 18, 2006

That comment of mathowie's you linked to is completely wrong. Specifically, that php file grabs any and all cookie data from the metafilter user, since the script is run within an image tag on the metafilter.com site is totally incorrect. The browser presents the cookies of the site the image is hosted AT, not where it was linked FROM. If you control http://yourserver.com/omg/haha-funnier-than-FARK.jpg then the only cookies you see in the request are the ones set by yourserver.com. I really hope we didn't go through this whole ordeal because of THAT misconception.
posted by Rhomboid at 9:05 PM on November 18, 2006

shhh. you're making him look bad.
posted by quonsar at 9:12 PM on November 18, 2006

IM N UR IMG TAG RUNNIN MY SCRIPT
posted by quonsar at 9:14 PM on November 18, 2006

I really hope we didn't go through this whole ordeal because of THAT misconception.

I thought we went through it because you posted an image that made anyone who saw it favorite your comment.
posted by smackfu at 9:31 PM on November 18, 2006

Waitaminute, someone here fucked a chicken?
posted by homunculus at 9:38 PM on November 18, 2006

mathowie can't regex his way out of a paper bag — we can't use the lowercase letters {s,r,c} concatenated together in that order, in a comment or post on this here community weblog. It's a good thing those three letters don't appear in that order with any frequency in the english language.

If we're going to not have inline images (which is okay by me), <img> tags should be getting transformed server-side into something useful, not mangled incompetently. Maybe something like:

<IMG SRC="http://goatse.cx/hello.jpg" title="gaping asshole">

turns into

<div class="image">
<IMG SRC="http://metafilter.com/littleImageIcon.png">
<a href="http://goatse.cx/hello.jpg">gaping asshole</a>
</div>

with a little bit of differentiating style applied to the image class in the css. In the absence of a title tag, the link text would be the image URL. Having them in their own div would make it super retardedly easy to do inlining in greasemonkey.
posted by blasdelf at 10:07 PM on November 18, 2006

I thought we went through it because you posted an image that made anyone who saw it favorite your comment.

Yes, and Matt subsequently fixed that problem the same day by switching from GET to POST. That doesn't give people an excuse to parade around untrue myths about how cookies work.
posted by Rhomboid at 10:37 PM on November 18, 2006 [1 favorite]

Woah woah woah. I thought the problem was people doing something like this:

<img ="http://www.metafilter.com/favorite.mefi?comment=360647">

It used to be that if someone did something like that, every person who viewed the page would favorite comment 360647. That was the problem, but now it's fixed.

Still I'm not sure I really want the image tag back, there were a lot of threads I think people would have just shoved images into that otherwise ended up having a conversation, for better or for worse.
posted by delmoi at 11:01 PM on November 18, 2006

?
posted by delmoi at 11:02 PM on November 18, 2006

mathowie can't regex his way out of a paper bag — we can't use the lowercase letters {s,r,c} concatenated together in that order

Woah, you're right.
posted by delmoi at 11:02 PM on November 18, 2006

You can still say s​rc with the help of your friend U+200B.
posted by Rhomboid at 11:21 PM on November 18, 2006

Y'all shore dew tawk funny...
'N how come there ain't no pikchers here on Metrofilter no more?
posted by flapjax at midnite at 12:00 AM on November 19, 2006

It's in his desk drawer, next to our yo-yos, science fiction comic books, and wind-up chattering teeth.

So that's where my yo-yos, science fiction comic books, and wind-up chattering teeth went! Damn you, mathowie!

*weeps bitter tears, vows revenge*
posted by languagehat at 6:29 AM on November 19, 2006

mathowie can't regex his way out of a paper bag

fricken hilarious...
posted by quonsar at 7:14 AM on November 19, 2006

Oh, this must be the annual quonsar chest-thump about how he'd use his skillz to code up a real website, if only Matt would stop making him visit this one.
posted by Mid at 8:47 AM on November 19, 2006

Perhaps a better way to deal with the img tag is to automatically replace the image location with a metafilter hosted jpg that explains why IMG tags are not allowed.

At least it might cut down on the number of img-related threads in MetaTalk.
posted by tkolar at 9:33 AM on November 19, 2006

testing...



posted by shmegegge at 3:40 PM on November 19, 2006

holy shit, we really can't put s r c together. that's nuts.
posted by shmegegge at 3:41 PM on November 19, 2006

there goes my post about detroit rock and roll in the 60s, damn it ...
posted by pyramid termite at 3:42 PM on November 19, 2006

s​rc s​rc s​rc s​rc s​rc s​rc
posted by Rhomboid at 4:28 PM on November 19, 2006

THE JOYS OF THE LETTER R IN UNICODE:

{r, ŕ, ŗ, ř, ʀ, ʁ, ɼ, ɺ, ɹ} — The standard latin set

{Ꭱ, Ꮢ} — R-like charachters in Cherokee

{ᴙ, ᴚ, ᵣ, ᶉ} — IPA

{ṙ, ṛ, ṝ, ṟ} — Latin Extended

{ℛ, ℜ} — Letter-like forms (the blackletter one is ℜ)

{⒭, ⓡ} — enclosed alphanumerics

{𝐫, 𝑟, 𝒓, 𝓇, 𝓻, 𝔯, 𝕣, 𝖗, 𝗋, 𝗿, 𝘳, 𝙧, 𝚛} mathematical alphanumerics
(has a lot of small r characters, but font presence is unlikely)

{ｒ} — fullwidth (used with CJK)

<img sṛc="http://goatse.cx/hello.jpg">
posted by blasdelf at 6:12 PM on November 19, 2006

gah! I meant to say that the blackletter one is {& real ;} but the site transforms {& amp ;} into a real &.
posted by blasdelf at 6:15 PM on November 19, 2006

&​amp;
&​real;
s​rc

U+200B is where it's at. No fake r's here.
posted by Rhomboid at 6:26 PM on November 19, 2006

10 GOTO 20
20 GOTO 10
posted by quonsar at 7:41 PM on November 19, 2006

quonsar, that looks like the code that governs my life.
posted by dg at 8:33 PM on November 19, 2006

ZERO WIDTH SPACE [​] (U+200B)

On my mac, your beloved U+200B prints as a not-quite-full-width space in Verdana, so it doesn't work

Fortunately, there are a multitude of awesome characters in Unicode for our uses:

HAIR SPACE [ ] (U+200A)

NARROW NO-BREAK SPACE [ ] (U+202F)

ZERO WIDTH NO-BREAK SPACE [] (U+FEFF)

WORD JOINER [⁠] (U+2060)

ZERO WIDTH JOINER [‍] (U+200D)

ZERO WIDTH NON-JOINER [‌] (U+200C)

LEFT-TO-RIGHT MARK [‎] (U+200E)

<img s‎r‎c="http://goatse.cx/hello.jpg">
posted by blasdelf at 9:16 PM on November 19, 2006

MISSION ACCOMPLISHED! I ❤ U+200*
posted by blasdelf at 9:18 PM on November 19, 2006

So much for Quonsar's leet mad programming skillz. His program is twice as long as it needed to be.

10 GOTO 10 would have sufficed.
posted by crunchland at 9:36 PM on November 19, 2006

crunchland, why do you cap the q?
posted by cgc373 at 7:59 AM on November 20, 2006

Putting a cap in Quonsar has always been a dream of mine.
posted by crunchland at 4:20 AM on November 21, 2006