Now with six more pieces of flair May 23, 2007 12:43 PM   Subscribe

Minor feature add: you can set your flickr username in your account, and it will automatically grab your last six photos uploaded and add them to your userpage.
posted by mathowie to Feature Requests at 12:43 PM (216 comments total) 3 users marked this as a favorite

Six? Why six?
posted by mr_crash_davis at 12:46 PM on May 23, 2007


because seven would be MADNESS
posted by mathowie (staff) at 12:47 PM on May 23, 2007 [19 favorites]


That's how many fingers #1 has on his left hand... of so someone said
posted by edgeways at 12:47 PM on May 23, 2007


but, actually I like this feature, thanks
posted by edgeways at 12:48 PM on May 23, 2007


Neat!
posted by brundlefly at 12:48 PM on May 23, 2007


Lovesit!
posted by iconomy at 12:51 PM on May 23, 2007


It works! Yay!
posted by cortex (staff) at 12:52 PM on May 23, 2007


I just did, but when I got to my "Customize Metafilter"-screen, it still had the CSS from when we could customize our userpages. Screenshot. No big deal, and maybe I should delete a few cookies?
posted by soundofsuburbia at 12:54 PM on May 23, 2007


Mine doesn't work. My flickr name is väcäpinta.
posted by vacapinta at 12:55 PM on May 23, 2007


Looks like it takes a minute to kick in, but works for me! Thanks, Matt!
posted by Plutor at 12:55 PM on May 23, 2007


Cool feature, by the way! :)
posted by soundofsuburbia at 12:55 PM on May 23, 2007


vacapinta: try "ricardo", just for shits and giggles—it might be resolving against directory name rather than literal user handle.
posted by cortex (staff) at 12:57 PM on May 23, 2007


Never mind. As plutor said, it just didnt kick in right away...
posted by vacapinta at 12:57 PM on May 23, 2007


Ooops, we cache the userpage, so it might take a minute to show up. Also, I got rid of the custom CSS thing.
posted by mathowie (staff) at 12:59 PM on May 23, 2007


Awesome.
posted by monju_bosatsu at 1:00 PM on May 23, 2007


Pretty!
posted by ThePinkSuperhero at 1:04 PM on May 23, 2007 [1 favorite]


Hey, it's the MeFiMoBile!
posted by monju_bosatsu at 1:06 PM on May 23, 2007


*swoon*
posted by Ambrosia Voyeur at 1:06 PM on May 23, 2007


We all know you like and use flickr a lot mathowie, and I suppose this is nice and great for everybody else in the same boat. For those of us that can't stand flickr and wish it a quick demise, it's slightly cringeworthy. However, I fully recognise the complexities in the past with letting people add their own content to their user page, so please don't take this as complaining that we can't do that, and that this is the best-of-an-unfortunate-situation compromise. It's just that favoritism to a given popular photo sharing site can rub some people uncomfortably. I hope that came off as diplomatic and unbitchy.
posted by Rhomboid at 1:08 PM on May 23, 2007 [1 favorite]


Nice, thanks! I guess there's not much stopping me adding someone else's Flickr account to my page, but I guess it would be weird to do that, anyway.
posted by Blazecock Pileon at 1:21 PM on May 23, 2007


flickr 4 lyfe
posted by kyleg at 1:23 PM on May 23, 2007 [2 favorites]


^ or dull and nerdy
posted by bonaldi at 1:23 PM on May 23, 2007


dammit, not you pair. you're not nerds.
posted by bonaldi at 1:23 PM on May 23, 2007


I think I love you, mathowie.
posted by CitrusFreak12 at 1:26 PM on May 23, 2007


So what are you so afraid of?
posted by ThePinkSuperhero at 1:29 PM on May 23, 2007 [2 favorites]


great. now I have Rocket Summer on my profile page.

quick. someone give me something interesting to photograph.
posted by Stynxno at 1:44 PM on May 23, 2007


Uh, hello?
posted by ThePinkSuperhero at 1:47 PM on May 23, 2007 [1 favorite]


*click*
posted by Stynxno at 1:54 PM on May 23, 2007


subtle?
posted by Rhomboid at 1:57 PM on May 23, 2007 [10 favorites]


Wow, I get photos from the wrong user! My flickr name is mkb, but all my photos are from 'goodtimes'
posted by mkb at 2:01 PM on May 23, 2007


subtle?

I just noticed that if you don't put your flickr username in your profile, then you don't have to use flickr. Neato! Plus, it has the added benefit of giving you no reason to bitch about it!
posted by eyeballkid at 2:04 PM on May 23, 2007 [1 favorite]


Ha! Beautiful, Rhomboid.
posted by cortex (staff) at 2:04 PM on May 23, 2007


I just noticed that if you don't put your flickr username in your profile, then you don't have to use flickr.

Interesting, I hadn't considered that. Now, remind me again, what's the procedure if you'd like to put photos in your profile but would prefer not to use flickr?
posted by Rhomboid at 2:07 PM on May 23, 2007


Bleh, I prefered the old method of simply allowing IMG SRC tags. I was able to have 12 images, so that no matter how wide you made the browser, they would show up in a seamless rectangle.

Also, I'd like to be able to pick my "best six" rather then my "last six" which may or may not be intresting...
posted by delmoi at 2:09 PM on May 23, 2007


Now, remind me again, what's the procedure if you'd like to put photos in your profile but would prefer not to use flickr?

A HREF
posted by monju_bosatsu at 2:09 PM on May 23, 2007


Is this a glimpse of the glorious and terrifying future when our weblog posts, del.icio.us bookmarks, Vimeo videos, MySpace witterings, SlideShare presentations, LifeBlog voyeurcasts, Twitter tweets, &c. all splurge forth onto our user MetaFilter pages like so much info-cum from our digital life-cocks?
posted by jack_mo at 2:09 PM on May 23, 2007 [5 favorites]


So what are you so afraid of?

What am I afraid of? This perhaps. (aaargh my eyes!)
posted by Pollomacho at 2:10 PM on May 23, 2007


Teeps, I give you extra points on having the mental fortitude to hold off on doing any profile edits for all this time.
posted by Rhomboid at 2:18 PM on May 23, 2007


For what its worth, Rhomboid, I removed mine despite being a flickr fan because I don't like that whole branded "brought to you by www.flickr.com" stuff.

Matt, I believe the TOS only requires that the photos link back. Does it also require that little flickr header or is that optional?
posted by vacapinta at 2:19 PM on May 23, 2007


what's the procedure if you'd like to put photos in your profile but would prefer not to use flickr?

Are you sure you want to know? Because I'm pretty sure it involves sticking a camera up your ass.
posted by Dave Faris at 2:21 PM on May 23, 2007 [3 favorites]


And again Matt, I really didn't intend to give you grief for implementing something new nor did I intend to come off as a grumpy codger about it (though I'm afraid I sealed the deal on that already), but it's just one of those pet peeves of mine -- flickr really pushes my buttons. Sorry for the derail.
posted by Rhomboid at 2:23 PM on May 23, 2007


Wait, you're the guy who linked to a picture of yourself fucking your dog. I don't think you'll have any problems.
posted by Dave Faris at 2:23 PM on May 23, 2007


hey mkb, I think you're getting your flickr username confused with your flickr photostream URL nickname. (They can be two different things.) Your actual Flickr username is: "matt kane's brain". Try that and you should be set.
posted by pb (staff) at 2:26 PM on May 23, 2007


Also, I'd like to be able to pick my "best six" rather then my "last six" which may or may not be intresting...

Maybe Matt can pull the last six with a certain tag? Then you could tag those as mefi.
posted by smackfu at 2:27 PM on May 23, 2007


For the record - not me, not my dog, not my image macro. Blame some random 7chan guy.
posted by Rhomboid at 2:27 PM on May 23, 2007


A likely story. In any event, I don't think we need to see any more pictures from you.
posted by Dave Faris at 2:30 PM on May 23, 2007


Maybe Matt can pull the last six with a certain tag? Then you could tag those as mefi.

Huh. That's a nice idea. And maybe do a fallback to non-mefi-tagged new stuff if there are 0-5 photos tagged thus?
posted by cortex (staff) at 2:39 PM on May 23, 2007


flickr really pushes my buttons.

How so? (Serious question.)
posted by cribcage at 2:41 PM on May 23, 2007


so, in order to get my original pictures back on my user page, i must create a new google account, upload those pictures, and never upload any others. i realize its not all web 2.0ish, but why not just let me put my damn pictures back on my damn user page where they weren't hurting a damn thing?
posted by quonsar at 2:48 PM on May 23, 2007 [1 favorite]


buy ludwig_van's new album (from my flickrstream)
posted by mathowie (staff) at 2:49 PM on May 23, 2007


i must create a new google account, upload those pictures, and never upload any others.

No, you just plop your already existing username into a input box and it'll grab recent photos from flickr for you.
posted by mathowie (staff) at 2:51 PM on May 23, 2007


pay attention, matt.
posted by quonsar at 2:53 PM on May 23, 2007


get my original pictures back on my user page
get my original pictures back on my user page
get my original pictures back on my user page

the ones that disappeared after the last time i edited my userpage.
posted by quonsar at 2:55 PM on May 23, 2007


that said, it's still pretty cool.
posted by quonsar at 2:57 PM on May 23, 2007


get my original pictures back on my user page

The ship sailed on that a year ago or so.

This is just a simple user customization thing that is totally optional and no one is putting a gun to anyone's head forcing them to use it. I'll be doing photo uploads soon as well, and maybe a few more customizations if people want to add to their userpage (other IM handles, twitter, delicious, etc).

Someone asked today why we can't customize our profile pages more and I realized there's no reason I couldn't add a few features like this so I did.
posted by mathowie (staff) at 2:59 PM on May 23, 2007 [2 favorites]


(other IM handles, twitter, delicious, etc)

Oh, nice. I was thinking about this the other day, as I generally use Google Talk instead of AIM.
posted by brundlefly at 3:05 PM on May 23, 2007


and maybe a few more customizations if people want to add to their userpage (other IM handles, twitter, delicious, etc).

Last.fm? I have absolutely no idea what that would accomplish, but I do like Last.fm, so...
posted by soundofsuburbia at 3:05 PM on May 23, 2007


The ship sailed on that a year ago or so.

and here i stand on the sandy shore, waving my hanky at the horizon. sigh.
posted by quonsar at 3:08 PM on May 23, 2007


Mathowie is hoping to be bought out by yahoo. I guess I had it backward.

I gotta say, fuck Flickr and fuck yuppies. Ok, just fuck yuppies.

"Here are 18 pictures of various signs, taken in black and white, from weird angles." We need to raise the bar for picture hosting back to "owning your own webspace" to reduce the number of stupid, faux-artsy, self-important, mutually-wanked-over images on the Internet.
posted by Eideteker at 3:13 PM on May 23, 2007 [1 favorite]


Hey Eideteker, you know who else was against democratic ways of sharing images online?

That's right, it was Hitler. He hated services that made things easy for anyone to do anything. Only rich smart people should get to have pictures! Down with flickr!
posted by mathowie (staff) at 3:18 PM on May 23, 2007 [3 favorites]


Yeah, fuck this "upgrade". This is just another case of crippleware. "We'll take these freedoms away from you--for your own safety, of course!--and you can have this useless crap as a token gesture."

Can we get some hard stats? Since the IMG tag was taken away on MeFi, how many community websites have been toppled by the supposed flaw that caused it to be removed (because remember, it was a very important security issue, not the fact that Matt was tired of dealing with the debate)? How many lives have been ruined by this exploit? And, of those, how many could have been avoided by smart browsing (e.g., not using IE) combined with a MetaChat-style "replace all IMGs with A HREFs by default unless a user wishes to assume the risk and responsibility on themselves"?

[citation(s) needed] on this bullshit.
posted by Eideteker at 3:23 PM on May 23, 2007 [2 favorites]


Also, I'd like to be able to pick my "best six" rather then my "last six" which may or may not be intresting...

Quonsar's complaint actually hinted at the easiest way to fix this. Just create another Flickr account, upload six photos to it, and use that in your profile rather than your normal one.
posted by smackfu at 3:24 PM on May 23, 2007


Hitler wrote some pretty scathing guest columns for Dvorak back in the day.
posted by cortex (staff) at 3:25 PM on May 23, 2007


Huh. That's a nice idea. And maybe do a fallback to non-mefi-tagged new stuff if there are 0-5 photos tagged thus?

Or how about the option of pointing to a particular set?
posted by eyeballkid at 3:26 PM on May 23, 2007


pb, remind me please: what's the URL for your ongoing off-the-flickr-grid project? and/or what's the ETA on it being live & thriving?
posted by Tuwa at 3:27 PM on May 23, 2007


Freud refused to offer financial assistance to his patients. He believed that having to invest one's time and money was a barrier against frivolous and spurious complaints. I personally believe he was a prick and a nutjob, but there's something to be said about providing a minimal barrier of entry on an activity. There were plenty of free photohosts before flickr, but you actually had to take more time to upload them and then code your own page. The knowledge and resources were there for anyone, but there was less wankery because you actually had to have a reason and drive to do it. Regardless, it's a trivial part of my argument to pick at and totally avoids the issue that you removed the image tag for reasons (I'm too wimpy to take a stand against the complaints on either side) other than what you stated (security issue/WMDs in IMGs). Straight up "republican" bullshit, just like Uncle Sam used to make.

There is no reason for us not to have images in our profiles. Our own images, hosted on any site we choose.
posted by Eideteker at 3:29 PM on May 23, 2007 [1 favorite]


Ok. The can of worms is open. You don't need to stir it, malcontent.
posted by Dave Faris at 3:31 PM on May 23, 2007


Faris, you like to stick your nose in every time this argument comes up. You hang around mathowie's ankles like a barky little chihuahua. You just make snide comments to remind us what "side" you're on but seldom make any actual arguments or points. Why not just say, "Yeah, whatever Matt said. You guys are stupid! Nyah!" I welcome you to add something useful to the debate. I won't tell you to shut up, because I'm not some sort of fascist, but I don't find much of what you say useful. Perhaps you would like to expend some of your ample free time and energy gathering the data I requested above, regarding the supposed security flaw with the IMG tag.
posted by Eideteker at 3:36 PM on May 23, 2007 [1 favorite]


Oh, very persuasive. I don't suppose you could illustrate your point?
posted by Dave Faris at 3:37 PM on May 23, 2007


A dancing squirrel playing the harmonica, perhaps?
posted by Dave Faris at 3:38 PM on May 23, 2007 [2 favorites]


Exactly my point. Very informative, sir.
posted by Eideteker at 3:40 PM on May 23, 2007


all splurge forth onto our user MetaFilter pages like so much info-cum from our digital life-cocks?




we need some digital gravy for jacks digital wanger.
posted by sgt.serenity at 3:41 PM on May 23, 2007


Your supposition that we can find a community website that has or hasn't been exploited is flawed. Assuming we could find another community website of the same size and popularity of Metafilter, the fact that they have or haven't been attacked by the security flaw is irrelevant. The key point is that Matt is not prepared to leave the security hole open, no matter how many dancing squirrels you cry over.
posted by Dave Faris at 3:43 PM on May 23, 2007


One wouldn't think by reading this post that the ensuing thread could lead to a flameout.

But, damnit, Eideteker is giving it the old college try!
posted by eyeballkid at 3:43 PM on May 23, 2007 [1 favorite]


Tuwa, my Flickr project is available here. It's not street legal yet, but the code is there for anyone to play with. It works for me.
posted by pb (staff) at 3:46 PM on May 23, 2007 [3 favorites]


Now, remind me again, what's the procedure if you'd like to put photos in your profile but would prefer not to use flickr?

Getting the fuck over it?
posted by Jimbob at 3:53 PM on May 23, 2007 [1 favorite]


That's right, it was Hitler. He hated services that made things easy for anyone to do anything. Only rich smart people should get to have pictures! Down with flickr!

Last I checked, flickr was $29 a year (and that requires a bank account and paypal to pay). The free version is pretty useless due to the upload limits. Bandwidth has come down so much lately that I would imagine that there are plenty of easy to use free services out there for people who don't want to use flickr.
posted by delmoi at 3:57 PM on May 23, 2007


pb - that is excellent work
posted by Razzle Bathbone at 3:57 PM on May 23, 2007


100 MB upload a month is useless? Maybe if you upload files straight from your camera, but I don't see the point of that for a web gallery.
posted by smackfu at 4:00 PM on May 23, 2007


I love flagging posts.
LOVELOVE LOVE it.
posted by konolia at 4:08 PM on May 23, 2007


Perhaps, then, you never noticed the magnifying glass icon, or tried to read small print on Flickr.

"One wouldn't think by reading this post that the ensuing thread could lead to a flameout.

But, damnit, Eideteker is giving it the old college try!"


Hey, I live to entertain.

I admit to heaping scorn on Flickr users (well, the yuppie scum among them) for dramatic effect, but I really do think this is a pretty lame "upgrade" (sidewaysgrade?). It's Matt's site, so I don't suppose anything he works to implement on it can technically be considered "a waste of time", but if I want to see someone's recent flickr images, I can visit their flickr page. Even before this change was implemented, it was possible to link to it in one's profile. Heck, on MeCha, we have a whole wiki page devoted to collecting user's Flickr URLs. From there, I've already added a lot of users to my own flickr friends, so I can see their photos on my flickr contacts page. Do I really need to come to MeFi to see the same thing?
posted by Eideteker at 4:15 PM on May 23, 2007


mathowie: I'll be doing photo uploads soon as well

Maybe chill out with the 'sidewaysgrade' rant, man.

In the mean time, though it's far from a perfect flexible images-in-profiles solution, it does no apparent harm, most people with an opinion so far seem to like it, and it suggests some neat possibilities for future data-driven fun—having a thread with lists of flickr accounts is nice, but having that info actually tied in the db to user accounts is a hell of a lot easier to play with.
posted by cortex (staff) at 4:22 PM on May 23, 2007


No shit, Eideteker. How are you supposed to read that?
posted by Roger Dodger at 4:27 PM on May 23, 2007


"Maybe chill out with the 'sidewaysgrade' rant, man."

I'm taking a wait-and-see* approach on this one. Matt previously said he would be allowing pictures to be added to one's profile, but only from Flickr.

If he actually plans on turning MeFi accounts into some kind of limited internal photohosting, i.e. a small number of images only for use on *.mefi pages, I will be most impressed (and worshipful). Until then, I'm holding off on the Kool-Aid. It smells funny.

If I've learned nothing else from this exercise (and I mean the ongoing saga), it's that I'll never again trust anyone who uses the term "blog" unironically.

* or maybe I should say hate-and-see lolamitrite
posted by Eideteker at 4:27 PM on May 23, 2007


"No shit, Eideteker. How are you supposed to read that?"

Exactly. John is "pro" because he uploads large images. I don't think he'd get by with a free account. Maybe smackfu is one of those FLICKR IS FOR PHOTOS ONLY people. (NOT ILLUSTRATIONIST)
posted by Eideteker at 4:31 PM on May 23, 2007


You seem to follow the Flickr drama pretty well for a hater.
posted by smackfu at 4:32 PM on May 23, 2007


Hmm, each picture is 1.5 megs, he uploads one a day, umm, you get 100 MB per month free. Let me do the math, here. Carry the one... yep. You're an idiot.
posted by Roger Dodger at 4:36 PM on May 23, 2007 [2 favorites]


KNOW THY ENEMY.

No, seriously, is there peoples that don't know about the NIPSA drama? I blame my knowledge of it on iconomy over at MetaChat. Or someone at MetaChat.

(oh, and in case you care, I wasn't hating on you, smackfu. Your question was legitimate and I tried to answer it. Please don't be mad at me. Them's jokes, son. Just don't turn out to be one of those commie IMG haters or I will CRY.)
posted by Eideteker at 4:40 PM on May 23, 2007


Wait, mine's not working. I see the little flickr last six images line but no pictures.
posted by sugarfish at 4:41 PM on May 23, 2007


"You're an idiot."

Name calling = party foul. Please, let's try to be civil. There are other examples, and John has occasionally uploaded other pictures. I myself had that problem, and I wouldn't consider my images ungodly huge. Nor do I upload a ridiculous amount of them. delmoi's point was that flickr is hardly free, which I stand behind.
posted by Eideteker at 4:45 PM on May 23, 2007


"A HREF"

HREF DREF PICTURE LINKER.

"The knowledge and resources were there for anyone, but there was less wankery because you actually had to have a reason and drive to do it."

Haha. You're deranged and I love it! Less wankery when it was just geeks building Geocities galleries!

"I'm taking a wait-and-see* approach on this one."

Oh, Homer, can't you see she'll always pick Wally?
posted by klangklangston at 4:48 PM on May 23, 2007 [1 favorite]


I hate you I hate you I hate you why can't you be like my real dad
posted by smackfu at 4:49 PM on May 23, 2007


Matt - thanks very much for a useful feature. I like it.
posted by chuckdarwin at 4:56 PM on May 23, 2007


Thanks, pb.
posted by Tuwa at 5:01 PM on May 23, 2007


Yay.
posted by treebjen at 5:10 PM on May 23, 2007


John is "pro" because he uploads large images. I don't think he'd get by with a free account.

I had to go "Pro" because Flickr only lets you upload 200 pictures total if you're not paying for it. With my comics project, I knew I'd be posting 365, so I had to start paying. I could have gone with Picasa or something, but everyone I knew was on Flickr, and I already had friends there.

Also, when I "upgraded", my earliest pictures were starting to disappear into the Flickr aether, so my Hamline drawings were about to disappear.

I don't like that Flickr got bought by Yahoo!, and I don't like that there is, in actuality, a 10MB-per-photo limit even if you're paying for Flickr, but I would have made do if I had to post smaller pictures.
posted by interrobang at 5:17 PM on May 23, 2007


see, us crusty roots types, we remember the reason for the PC revolution - when PC meant 'personal computer' and did not specify some corporate-predicated architecture. we remember the fact that when all the computing power is in the hands of the few, all the information is controlled by the few, to the detriment of the many. and that's why we look askance at youths current infatuation with the Centralized Shiney Widget™. why, you've no sooner succeeded in the control of your own processor cycles, no sooner taken ownership of your own data, than you want to give it all away in some lemming-like dash toward some kind of net-centric shared-data circlejerk! don't forget who owns the internet, my little sillies. don't think for a second that it REALLY routes around damage, or that information won't actually sue the fuck out of you for setting it free. shuck off the tired pseudocybermagic platitutudes - the network is NOT the computer, it wants to control your computer. it always has. Flickr, Blogger, etc are not your pals.
posted by quonsar at 5:21 PM on May 23, 2007 [1 favorite]


me want CSS in user profiles. But you're probably working on fixing that...right? RIGHT?!

::continues sobbing in corner::
posted by Brandon Blatcher at 5:22 PM on May 23, 2007 [1 favorite]


You know, I never cared one way or the other about Flickr, but now that I see people hating it with an unreasoning passion, I'm starting to like it.
posted by languagehat at 5:23 PM on May 23, 2007 [4 favorites]


Hey look, the most recent photo from the last 100 mefi members to upload something to flickr, updated hourly:

http://www.metafilter.com/recentphotos.mefi
posted by mathowie (staff) at 5:24 PM on May 23, 2007 [10 favorites]


why, you've no sooner succeeded in the control of your own processor cycles, no sooner taken ownership of your own data, than you want to give it all away in some lemming-like dash toward some kind of net-centric shared-data circlejerk!

Jesus fucking christ on a god damned pony, it's a site that let's you upload fucking pictures. It's not far removed from a fucking BBS, it just doesn't have ASCII porn files of Farah Fawcett.
posted by eyeballkid at 5:33 PM on May 23, 2007


It's not far removed from a fucking BBS, it just doesn't have ASCII porn files of Farah Fawcett.

I'm about to go try prove you wrong...
posted by Jimbob at 5:38 PM on May 23, 2007


Look, on further thought, I do kinda agree with Rhomboid - I can understand the frustration when every man and his dog rushes to join the latest hip cool new thing and the other options are ignored - I guess I'm more tolerant here because Flickr is a hip cool new thing that I enjoy.

Anyway mathowie, in this age of XML and RSS and so forth, is there any reason you couldn't, instead of pulling photos from the Flickr API, let people supply their photo RSS feeds instead? I assume that if you do that, people on other photo hosts that provide RSS feeds could join in the loving, and people who host their own photos could probably also cook up an RSS feed if they like.
posted by Jimbob at 5:45 PM on May 23, 2007


Sure Jimbob, I could do that, but no one here has requested that I tie into other services, they've just mentioned how much they hate the very idea of flickr. I guess Zoomr and Photobucket and other services would incur the same wrath.

Plus, with flickr, we can do cool weird stuff like the recent photos page without much trouble.
posted by mathowie (staff) at 5:50 PM on May 23, 2007


If my page is at flickr.com/blahdeeblah/photos, then 'blahdeeblah' would be my username, right? Or am I missing something? I updated my profile a little while ago, but it's still not working :d
posted by theiconoclast31 at 5:50 PM on May 23, 2007


*awakens from swoon on the floor, gathers skirts, perches on chair at laptop, reads #1's last comment*

*A-SWOON*
posted by Ambrosia Voyeur at 5:51 PM on May 23, 2007


theiconoclast31, your flickr username is what you login with, not necessarily what shows up in the URL.
posted by mathowie (staff) at 5:58 PM on May 23, 2007


...because holy bewhoozis, once you upload your photo to Flickr, it's wiped from your hard drive and you'll never control it again and it'll be sold to some Chinese-owned conglomerate where they'll make inferior copies, churn them out in the millions, and cause a global health crisis due to their being tainted with formaldehyde and melamine.

No, wait. It's something that holds copies of your pictures so showing them off doesn't cost you thousands in hosting fees. My error. Sorry.
posted by ardgedee at 5:59 PM on May 23, 2007 [1 favorite]


you people have zero sense of humor.

i know, i know. i'm not funny any more.
posted by quonsar at 6:03 PM on May 23, 2007


Mayday! Coldfusion alert on the Recent Photos by all MeFites page, and thanks for the clarification on the username, it works now!
posted by theiconoclast31 at 6:05 PM on May 23, 2007


mathowie writes "Hey look, the most recent photo from the last 100 mefi members to upload something to flickr, updated hourly:

"http://www.metafilter.com/recentphotos.mefi"


That's a fun page.

There are some formatting issues here and there on the page where the photo titles are overlapping the date lines of the photos above it or the actual photos themselves.
posted by chiababe at 6:09 PM on May 23, 2007


No, wait. It's something that holds copies of your pictures so showing them off doesn't cost you thousands in hosting fees. My error. Sorry

It does sound like quonsar is going over the top. But most of you are ignorant of the battles which have been going on at flickr since its inception. In the NIPSA battle over appropriate content many really good photographers left in disgust because their nude photography was lumped in with porn. There was a similar battle with the illustrators who were basically told: If its not a photo it doesnt belong here.

Yeah, I know, boo-hoo, they all have other options for hosting their stuff. But the point is that as sites like flickr rise in prominence and become a default option ("Oh, you're a photographer? How do I find you on flickr?") then its either play by the, sometimes arbitary, rules or dont play at all.

But yeah, Microsoft is just an OS. Google is just a box on the Internet that helps me find things. Flickr is just a place that saves me bandwidth. Thats all true but it has to be backed with a dose of wilful ignorance.
posted by vacapinta at 6:12 PM on May 23, 2007


Please, let's try to be civil.

I think you burned that bridge a ways upthread with all your "fuck this" and "fuck that."

I asked Rhomboid why he objected to Flickr, and I'm still waiting. The only substantive criticism I've understood (apart from an obscure acronym) is delmoi claiming that Flickr's upload limit renders its free version "useless" — which I don't even know how to reply to, except to say that not everything in life is a nail.

If you have a specific criticism, make it. If you have an alternative, suggest it. Seriously, I'm interested. I don't follow the blogosphere and maybe I'm missing out on something. I'd be happy to learn — just as I learned about Flickr from people talking about it here. (And I've found it useful. I particularly like using it to investigate new restaurants, by searching tags from people who photograph their dinner. I love that.)

But that's a different tack from cursing out the admins because you don't like the free, opt-in feature that was just added to MetaFilter. And PS, anybody with this much free time doesn't get to crack about yuppies.
posted by cribcage at 6:14 PM on May 23, 2007


"'http://www.metafilter.com/recentphotos.mefi'

That's a fun page. "


I'll say:

" The web site you are accessing has experienced an unexpected error.
Please contact the website administrator.
"

Matt, how can I set up RSS in my own webspace to work with this feature? I'm willing to meet you halfway on this, if you'll let me do it from my own site, not some third-party.

I'm sorry to be such a prick on this score, but I really don't see how people are delighted about trading a basic internet freedom for a web 2.0 widget. I would like photos from my own domain on my profile page. It seems simple.
posted by Eideteker at 6:15 PM on May 23, 2007


Awesome! Except that took me a minute to remember how many "n"s are in my flickr username.
posted by The Great Big Mulp at 6:17 PM on May 23, 2007


Sure, I don't have complete control over the way flickr organizes and presents my photographs, but I can host, link, and present sets of my photos in lots of different ways without incurring a big investment of time and energy.

It's easy, and it works.

I'm a yuppie, and I endorsed this message.
posted by monju_bosatsu at 6:18 PM on May 23, 2007 [1 favorite]


I think you burned that bridge a ways upthread with all your "fuck this" and "fuck that."

Hey, it's not my fault if you self-identify as a yuppie. I hear there are support groups that can help you with that.
posted by Eideteker at 6:18 PM on May 23, 2007


Eideteker speaks well about this. Flickr is ok, but I'd prefer to have complete control over my photos.
posted by Brandon Blatcher at 6:19 PM on May 23, 2007


I really don't see how people are delighted about trading a basic internet freedom for a web 2.0 widget

I'm not so sure about "freedom." Sure you can do it on a lot of other sites. But Matt controls the site. Thus, basic html is a privelege. :P

We're not trading anything. Something was taken away. A while ago. Now Matt has given us something. It's a bit more akin to "take it or leave it" than "trading."
posted by CitrusFreak12 at 6:21 PM on May 23, 2007


That being said, yeah I'd love to have the img tag back, and I'd love more customization as well. Just fyi.
posted by CitrusFreak12 at 6:22 PM on May 23, 2007


hating it with an unreasoning passion

I have plenty of reasoned passion, but I don't feel like explaining it all in this already huge thread. Just because I don't feel like typing out a long essay on the history of my experiences with flickr doesn't mean you dismiss me as illogical.
posted by Rhomboid at 6:23 PM on May 23, 2007


*you can
posted by Rhomboid at 6:25 PM on May 23, 2007


I am still waiting for data about how this massive IMG exploit equals the end of all human life as we know it.
posted by Eideteker at 6:29 PM on May 23, 2007




Rhomboid, you suck as an activist.
posted by Ambrosia Voyeur at 6:35 PM on May 23, 2007


Eideteker, back when I first took it away, people showed several proof-of-concept examples on how it worked. I didn't have anyway to stop them, so in the interest of keeping things secure, I removed it. I'm not interested in bringing things back. Any time I load and execute data from other servers, I open people up to security risks and I decided to keep the issue a solved one by removing the ability to externally reference a file on another server.

I'm not going to do RSS parsing into profiles because there are about a dozen versions of RSS and people format images for RSS 50 different ways that a parser would have to handle, whereas adding an optional flickr username field took two lines of code and was completely deployed in about 30 minutes.

A few users have spoken loud and clearly that they don't like flickr. I'm surprised by the amount and extent of the outrage so I might as well warn you all that MSN, GoogleTalk, and Yahoo IM ids will be added soon, delicious, last.fm, and twitter usernames can be added, and finally, an uploadable profile jpg that displays on your page will be added. Hopefully people can see these are entirely optional enhancements you can voluntarily add to your profile and page if you like, and I'll do stuff with the information like grab your last x entries at each service and/or provide links to your profiles there as well.
posted by mathowie (staff) at 6:36 PM on May 23, 2007


CF: See my earlier comment. There is no exploit to speak of. Smoke and mirrors, absent actual facts.
posted by Eideteker at 6:36 PM on May 23, 2007


CF: See my earlier comment. There is no exploit to speak of. Smoke and mirrors, absent actual facts.

So Matt's a liar, then?
posted by CitrusFreak12 at 6:39 PM on May 23, 2007


lolz i'm in ur img src, drayning ur bank acount
posted by quonsar at 6:41 PM on May 23, 2007


There is no exploit to speak of.

Go read the Cross Site Scripting (XSS) Cheat Sheet. Pay special attention to the XSS attacks that abuse the IMG tag. Presumably I don't need to explain why executing arbitrary javascript is a bad idea, but if I do, go read the XSS wikipedia article.
posted by paulus andronicus at 6:44 PM on May 23, 2007


I really don't see how people are delighted about trading a basic internet freedom for a web 2.0 widget.

Are you serious? "Basic internet freedom?" What is this freedom and where can I find it? More to the point, do you really think that the inclusion of this Flickr feature into MeFi somehow curtails your ability to do anything at all that you currently do on the internet? That's pretty absurd.
posted by wemayfreeze at 6:47 PM on May 23, 2007 [1 favorite]


Nthing the request to pretty-please allow specification of a tag, so we can choose what six photos to show.
posted by dmd at 6:50 PM on May 23, 2007


Matt, thanks for the update. I look forward to the uploadable profile image. It will mean I can actually update my profile so people stop ask me how my psychology classes are going (they aren't, anymore).

"Eideteker, back when I first took it away, people showed several proof-of-concept examples on how it worked."

Was that in this thread? Because I don't get it. I see Rhomboid's favorite thing, but you mentioned that that was already fixed before the thread had closed. I also don't understand how turning IMGs into HREFs like on MetaChat doesn't fix this. I would like the option to opt-in to viewing images, because I'm not really worried about the consequences. You have never responded to me when I suggest this implementation, other than to wave your hands mysteriously and say "it won't work." You never explain why. I think the reason I am so belligerent is because of this evasiveness more than anything. I like your site and I do not wish to see it or you ruined by malicious hackers.

"I might as well warn you all that MSN, GoogleTalk, and Yahoo IM ids will be added soon, delicious, last.fm, and twitter usernames can be added"

The outrage is not (in my case) at the sites themselves (despite earlier joking/mocking commentary), but rather at having the independence that once was the heart of the internet stripped. It is not that I have to go through any particular site (though I really don't need any more logins), it is that we are forced to go through any such site when we have perfectly good hosting of our own.
posted by Eideteker at 6:56 PM on May 23, 2007


I really don't see how people are delighted about trading a basic internet freedom for a web 2.0 widget.

It's a tool, a convenience, especially for those of us who work or drink too hard to be bothered coding our own internets, and its popularity makes it pervasive, but you can abstain or promote alternatives without being a maroon about it.

He probably hates commercial clothing manufacturers as well for curtailing his ability to wear a paste of cheetos and elmer's glue as adornment.
posted by Ambrosia Voyeur at 6:57 PM on May 23, 2007


Eideteker: I run a biggish site that was completely exposed by this exploit. Closing it meant either turning images off, or (what we chose) a massive code rewrite -- that took us off the air for a month and the after-effects of which are still being felt. S since Matt doesn't want to take MeFi down for months and isn't a professional coder, I completely understand why he chose the former.

If you want more details, email's in profile.
posted by bonaldi at 6:57 PM on May 23, 2007


I also don't understand how turning IMGs into HREFs like on MetaChat doesn't fix this

Yeh? Click on this image (it's safe):
http://bonaldi.thehold.net/t/test.jpg
posted by bonaldi at 6:59 PM on May 23, 2007 [1 favorite]


I also don't understand how turning IMGs into HREFs like on MetaChat doesn't fix this

Dude. That shit is for yuppies.
posted by eyeballkid at 7:04 PM on May 23, 2007


From paulus' link:

"Note from the author: XSS is Cross Site Scripting. If you don't know how XSS (Cross Site Scripting) works, this page probably won't help you."

Guess I am shit out of luck. Maybe you have a link that actually explains it? Explain meaning "convey information to someone who does not already have it." Make it simple. I try, but I have not yet mastered being an expert at everything.

"do you really think that the inclusion of this Flickr feature into MeFi somehow curtails your ability to do anything at all that you currently do on the internet?"

My complaint is if this is being offered as an appeasement for having something ubiquitous on the internet revoked on this site, it's a pretty shitty appeasement. As a feature, sure, it's nice and it works and it's certainly not designed for me, so I'm not the best judge of how cool it is.

Bonaldi, I don't know that image is safe, so I won't click on it. Why do we have to save everyone from themselves? Wasn't "don't click on a link you don't recognize!" drilled into everyone in internet 101 class back at the learning annex? Wasn't that the lesson taught to millions by goatse? Not displaying the image inline means I can choose whether or not I trust it. CHOICE. MY CHOICE. Christ, I hadn't realized how far we'd fallen from the basic concept of individual responsibility.
posted by Eideteker at 7:05 PM on May 23, 2007


CHOICE. MY CHOICE. Christ, I hadn't realized how far we'd fallen from the basic concept of individual responsibility.

So make the fucking choice to post IMGs as HREFs then -- nothing's stopping you.
posted by bonaldi at 7:12 PM on May 23, 2007


Guess I am shit out of luck. Maybe you have a link that actually explains it? Explain meaning "convey information to someone who does not already have it." Make it simple. I try, but I have not yet mastered being an expert at everything.

Actually, I did have a link in my comment that explained XSS. Did you read the Wikipedia page I linked to? Here, I'll link to it again. Cross-site scripting.
posted by paulus andronicus at 7:13 PM on May 23, 2007


"Note from the author: XSS is Cross Site Scripting. If you don't know how XSS (Cross Site Scripting) works, this page probably won't help you."

Guess I am shit out of luck. Maybe you have a link that actually explains it? Explain meaning "convey information to someone who does not already have it." Make it simple. I try, but I have not yet mastered being an expert at everything.


So your argument boils down to "I don't know how this is done, therefore it can't be done."

Here's a link you might find interesting, if someone explained it, which I won't, and which therefore doesn't yet actually exist in your world. So please do ignore it.
posted by Tuwa at 7:14 PM on May 23, 2007


My complaint is if this is being offered as an appeasement for having something ubiquitous on the internet revoked on this site, it's a pretty shitty appeasement.

Where does it say it's an appeasement for removal of the IMG tag? Look at mathowie's original post. This isn't a replacement for the IMG tag. It's something new. It doesn't do the same thing as having the IMG tag did. It's part of a wider addition of features, like del.icio.us and twitter accounts, to our profile pages.

What made you think this was something to make up for removal of the IMG tag?
posted by Jimbob at 7:15 PM on May 23, 2007


Was that in this thread?

Eideteker, if you look at the XSS cheatsheet, over half of the exploits worked on metafilter. I started doing some more regex code stuff and a couple members over IM showed they could still get around the regex and run javascript off their servers, fetching any cookie detail they wanted. I don't have the time, patience, and knowledge to make img src loading on mefi safe for everyone, so I turned it off. Making it an option to display inline doesn't solve the issue, so I never entertained the idea of adding it.

Same thing with the custom CSS profiles code. In a matter of a few hours, several users showed how you could run any off-site exploit you wanted in IE and Firefox, and even when coding for those specific exploits, there were still risks with loading remote files in CSS. So I took that away. Loading remote files on mefi leads to dodgy stuff being possible so I've done what I can to minimize it.

This new flickrstream on your userpage has nothing to do with the img tag, people in another thread were asking why they couldn't customize their profiles with their various accounts and photos hosted elsewhere and I realized it was very easy and safe to deploy so I did.
posted by mathowie (staff) at 7:15 PM on May 23, 2007


Bonaldi, I marked your comment as a favorite. My e-mail isn't working right now and I'm away from my home computer. I plan to e-mail you when I get home, thanks.
posted by Eideteker at 7:15 PM on May 23, 2007


Okay, sorry to get in the middle of all this but can anyone see anything in my profile? Am I too dumb to figure out my flickr username? I tried the yahoo address that I log in with, and the other yahoo address that has a period in it, and my display name.
posted by sugarfish at 7:27 PM on May 23, 2007


So make the fucking choice to post IMGs as HREFs then -- nothing's stopping you.

I can have the hanging OR the execution by firing squad? Gee, forced choices are fun. OR: (less sarcastically) We got both kinds of music, Country AND Western.

So your argument boils down to "I don't know how this is done, therefore it can't be done."

No, I don't know how it works, so explain it to me, and without being a snotty neckbeard about it.

At least now I'm starting to get some information about it, whether or not it is imparted with nastiness. I am not above doing my homework, so I will read the links provided and do my best to understand the exploit. I still cannot understand how if this is such a well-known horrible thing the entire internet has not been levelled by it, though. As I said, I like Mefi and do not want to see it destroyed. But I also don't want to see "ho ho, we know what's best for you but it's too complex for you to ever understand so here is some w2.0 shininess for you."

Matt, I took this to be your "people will be able to add images to their profile, but ONLY with Flickr™" feature as hinted at in earlier MeTa threads. I'm sorry for jumping to that conclusion. I still object to being forced to go through a specific site, but I look forward to the uploadable image (as long as it can be placed anywhere in the profile, and can be wrapped in a HREF as mine is now). Thank you for that concession.
posted by Eideteker at 7:27 PM on May 23, 2007


So as I understand it, the only remaining MetaFilter exploit that would be exposed by the return of the IMG tag is the execution of arbitrary javascript in the metafilter.com context by IE + Opera, and the only reason this is bad is the fact that you store a hashed 'USER_PASS' in a cookie?

Using a login.metafilter.com subdomain for the authentication cookie doesn't solve this?
posted by blasdelf at 7:29 PM on May 23, 2007


Okay, sorry to get in the middle of all this

Please, feel free to break the monotony of me shouting into a wind tunnel.

but can anyone see anything in my profile?

I cannot.

Anyhow, I'm going to bed soon. Sorry to disappoint anyone hoping for a flameout; I've only got a few more in me tonight at most.
posted by Eideteker at 7:30 PM on May 23, 2007


I may have accidentally explained this to Eideteker. My bad guys, I've let the obscurantist hand-wavers club down!
posted by blasdelf at 7:33 PM on May 23, 2007


Aaah! The commenting, it is asynchronous!
posted by blasdelf at 7:34 PM on May 23, 2007


OR: (less sarcastically) We got both kinds of music, Country AND Western.

Sorry, you've got me confused now: you asked why you can't post images as HREFs like you can on MetaChat, but then I realised that you can.

If you just want it done automatically when people post IMG SRCs, I think that's pretty dangerous on a social level -- we'd start to see lots of .jpg links, and like I showed, it's all too easy to post one of them that isn't.

and the only reason this is bad is the fact that you store a hashed 'USER_PASS' in a cookie?
Ooh, I hope you win this argument so I can be all postin' as blasdelf real soon now. (unsnarky) No, there's lots more fun to be had with domain-level scripting than just password-hash stealing.
posted by bonaldi at 7:35 PM on May 23, 2007


but can anyone see anything in my profile?

sugarfish, when I click through to flickr from the link on your profile ("elizaevans"), I get a flickr page that says this:

ElizaEvans doesn't have any photos available to you.

Do you have any photos uploaded under that account? If so, are they restricted to friends or family?
posted by cortex (staff) at 7:46 PM on May 23, 2007


Cortex: my flickr page is at flickr.com/photos/elizaevans -- you can get to it from my website link. I tried to add my yahoo login, then my yahoo login @yahoo.com, then my alternate yahoo address.
posted by sugarfish at 7:56 PM on May 23, 2007


This isn't working for me, either. At first I put in my URL name (sbutler) and that brought up pictures, but not mine. Then I stuck in my yahoo login (stephenbutler4) and nothing's happened since (it's been about an hour or so).
posted by sbutler at 8:06 PM on May 23, 2007


1) [citation(s) needed] on this bullshit.
posted by Eideteker at 6:23 PM on May 23 [+][!]

2) There is no reason for us not to have images in our profiles. Our own images, hosted on any site we choose.
posted by Eideteker at 6:29 PM on May 23 [+]
[!]

3) I am still waiting for data about how this massive IMG exploit equals the end of all human life as we know it.
posted by Eideteker at 9:29 PM on May 23 [+][!]

4) Eideteker, back when I first took it away, people showed several proof-of-concept examples on how it worked.
posted by mathowie at 9:36 PM on May 23 [+][!]

5) CF: See my earlier comment. There is no exploit to speak of. Smoke and mirrors, absent actual facts.
posted by Eideteker at 9:36 PM on May 23 [+][!]

6) Go read the Cross Site Scripting (XSS) Cheat Sheet. Pay special attention to the XSS attacks that abuse the IMG tag. Presumably I don't need to explain why executing arbitrary javascript is a bad idea, but if I do, go read the XSS wikipedia article.
posted by paulus andronicus at 9:44 PM on May 23 [+]
[!]

7) Maybe you have a link that actually explains it? Explain meaning "convey information to someone who does not already have it."
posted by Eideteker at 10:05 PM on May 23 [+][!]

8) So your argument boils down to "I don't know how this is done, therefore it can't be done."
posted by Tuwa at 10:14 PM on May 23 [+][!]

9) No, I don't know how it works, so explain it to me, and without being a snotty neckbeard about it.
posted by Eideteker at 10:27 PM on May 23 [+][!]

Nevermind this thread and this thread, which you posted in and which together with today's posts indicates that you did know about prior discussions of using the image tag for cross-site scripting.
posted by Tuwa at 8:06 PM on May 23, 2007 [1 favorite]


Heck, on MeCha, we have a whole wiki page devoted to collecting user's Flickr URLs.

Meh meh meh meh! DAAADDD! Mom said I could have my own wiki! SHE SAID!
posted by grapefruitmoon at 8:07 PM on May 23, 2007


Well, matt, as usual no good deed goes unpunished.

Sorry about that, man.
posted by konolia at 8:07 PM on May 23, 2007


cortex, sugarfish: that's strange; clicking the link from sugarfish' profile gives the "no photos available to you" text, but pasting in the link sugarfish posted does show them. ... No idea what that means.
posted by Tuwa at 8:09 PM on May 23, 2007


sugarfish: try "eliza evans" in the flicker field.

sbutler: try "stephen.butler"

This shit may need some clarifying documentation. Heh.
posted by cortex (staff) at 8:10 PM on May 23, 2007


Ahh ha! Thanks cortex, that made it work.

I must admit, I've got a huge identity crisis going on with Flickr.
posted by sbutler at 8:14 PM on May 23, 2007


::actually takes the time to upload some photos to flickr::

Oh cool. That IS kinda neat.
posted by Brandon Blatcher at 8:17 PM on May 23, 2007


you got it cortex. Just to clarify, your Filckr photostream URL is not necessarily your Flickr username. Also, your Yahoo! login is not necessarily your Flickr username. (Due to old skool logins and migrating pre-buyout accounts to the Yahoo login system.) All of these can all be different strings.

To find your Flickr username, sign into Flickr and take a look at the line at the top of the page that says, "Signed in as...". Whatever appears there as a link is your Flickr username.
posted by pb (staff) at 8:18 PM on May 23, 2007


Eideteker, you're really coming across as an ignorant jerk with serious self-entitlement issues in this thread...


... are you sure you're not a yuppie?
posted by Alvy Ampersand at 8:23 PM on May 23, 2007


Cortex, you're a peach. pb, thank you for explaining further. I hope to never have to remember my flickr username again.

Just now I realize I've had the wrong link in my profile for months. Woe!
posted by sugarfish at 8:28 PM on May 23, 2007


pb - thanks for the info.. I was trying every combination of Flickr name / user ID I could think and getting nowhere.

O Fearless Leader - I likey! Looking forward to being able to add other IDs as well.
posted by your mildly obsessive average geek at 8:34 PM on May 23, 2007


Matt, this is why almost all forums realized ages ago that giving users access toa dumbed down html was extraordinarily hard to filter. Instead of going from top down, they went from bottom up and created a new tag system which came pseudostandardized as BB code. When you switch to using [img]url[/img] to create an inline image, it lets you: entity-ify out < and > completely; not worry about whether the user used ' or " or nothing to quote the url after HREF; not have to filter any other attributes such as style= or onload=; scan URL to be sure it only has url-safe characters and no sneaking in something that a browser might parse as code. Even with this extremely simplified set of restrictions, there have still be a large, large number of exploits in BB code based post parsers, but this is primarily due to the authors continuing to use regular expressions for this task, and REs are just not the right tool for this job. Your browser uses a parser, so should the code that's trying to sanitize the user input so that it can't be read by the browser as code accidently.

So this takes away the XSS aspect, but it still leaves the aspect where by allowing the user to post a URL that is an automatic GET from every page view by every user. Damage can still be done there, but if it is, it is a much different problem. And here you've already done the work to solve it for mefi. Other sites and services may have not, but tough titties for them as they need to do it some time and preventing users from being able to post images because other sites have sucky admins is kind of a soft excuse.

And likewise with the user page customizations. You could get a lot of mileage from something like the following:

Primary Foreground Text Color: [_____]
Contrasting Foreground Text Color: [_____]
Background Text Color: [_____]
Font Family: [_____]
Font Height: [_____]
Background image: [_____]
BG Repeat/Stretch: {} {}

Each of those would be a simple color value, font size, image URL, etc. You can filter these ruthlessly because there can't possibly be any tags or delimiters, each specifies exactly one thing. Then you output a fixed stylesheet that incorporates these. The user has no control of the stylesheet itself, but can still do a lot of customization still.
posted by Rhomboid at 8:41 PM on May 23, 2007


fwiw Sugar, I see your images fine
posted by edgeways at 8:46 PM on May 23, 2007


So this takes away the XSS aspect
No it doesn't. BBCode [img] would still translate into an img src when it hit the browser, and that's when the groovy little scripts come into play.
posted by bonaldi at 8:47 PM on May 23, 2007


I already addressed that. Being able to make the user unknowingly GET a URL is not an exploit, it is a bug in the site's code if it has any effect.
posted by Rhomboid at 8:56 PM on May 23, 2007


No, you're thinking of first-hand attacks, like putting a metafilter.com url in as your image link. But if your image is actually a script, you can make a user's browser do a whole lotta other shit.
posted by bonaldi at 9:00 PM on May 23, 2007


I like this feature. Thank you for adding it.

I would be a yuppie (young urban professional) except I moved to the suburbs.

Hating on flickr is dumb.
posted by mattbucher at 9:00 PM on May 23, 2007


You can make the user's browser do exactly one thing, redirect to any arbitrary URL. But it's still a GET, and no GET, no matter what it is, should be able to cause any damage when fetched. It says that in the HTTP spec. And if you have a site that does use GETs for state change, you are vulnerable regardless of whether you let user post images, since there are still plenty of other sites that let users post images.
posted by Rhomboid at 9:07 PM on May 23, 2007


By the way, while we're on the topic I'd just like to say the following: If it comes down to a choice of never having inline images on metafilter ever again versus switching to BB code (i.e. [url] and [img]) and having inline images but forever losing some of the quirky things we have now like titles (i.e. being able to do <A href="whatever" title="some additional text here">), I would rather have the former. As much as I loved inline images and trainwreck/deletion threads, I think I have come to appreciate the all-text nature the site has become.
posted by Rhomboid at 9:39 PM on May 23, 2007


Well, matt, as usual no good deed goes unpunished.

Sorry about that, man.
posted by konolia at 8:07 PM on May 23


I dont see it that way. People here are just having a discussion. Sure, there's some criticism and analysis going back and forth but thats more the nature of this place.

I posted a comment above criticizing flickr. Out of context it seems as if I hate them. But that would be far from the truth. I am one of of flickr's earliest users - and I mean I was in the first 100 or so to sign up! - and I've been there since. I've signed up tens of friends, defended them in other forums, spent a lot of time helping new users, and was a former admin of FlickrCentral - the largest group. I've met most of the Flickr staff in person.

But I dont have time to append that here. I'm depending on context which is more natural I suppose in real-life conversations.

Likewise with criticising and commenting on this new feature. You know I care about this place or I wouldnt have hung around for the past 6 years. I am supposing it is the same with anyone who bothers to hang around metatalk no matter how caustic they seem. Whenever Matt changes the color of the wallpaper in one of the rooms of this house, we all want to stand around and gaze at it and offer our comments.

It's like a colleague said to me once after he said something mildly critical of me: "If I appear to be your biggest critic, it is because I am also your biggest fan."
posted by vacapinta at 11:14 PM on May 23, 2007


Well said väcäpinta. Now sit up straight you slovenly bastard. And what's with that haircut man?
posted by peacay at 11:22 PM on May 23, 2007


I like it. But I only have 6 photos at Flickr at present. Time to upload some new ones I think.
posted by MrMustard at 1:06 AM on May 24, 2007


What is with online communities and getting uppity recently? It's like every user on every site wants to be a night-of-the-digg fuck-the-establishment martyr. You have the patience of a saint, Matt, and for that I salute you.
posted by potch at 1:53 AM on May 24, 2007


Hey, this is really cool, Matt. Thanks.
posted by liquorice at 3:07 AM on May 24, 2007


Now everyone click on my profile. The photos therein will change your life.
posted by liquorice at 3:11 AM on May 24, 2007 [1 favorite]


"Nevermind this thread and this thread, which you posted in and which together with today's posts indicates that you did know about prior discussions of using the image tag for cross-site scripting."

Of course I knew about them. I asked for explanations of the flaw and never received them.

"Eideteker, you're really coming across as an ignorant jerk"

Please read the threads Tuwa linked to, as well as the original img-ban thread I linked to. I have been calm and patient in the past and it's gotten me nowhere. But, if it helps, imagine Mr. Rogers reading every one of my comments in this thread.
posted by Eideteker at 4:01 AM on May 24, 2007


[this is cool]
posted by dg at 4:19 AM on May 24, 2007


pb writes 'To find your Flickr username, sign into Flickr and take a look at the line at the top of the page that says, "Signed in as...". Whatever appears there as a link is your Flickr username.'

A-ha! - thanks pb, that was the one option I'd forgotten about. Silly that there are three (or more?) username possibilities when it comes to Flickr.
posted by jack_mo at 5:45 AM on May 24, 2007


No, I don't know how it works, so explain it to me, and without being a snotty neckbeard about it.
posted by Eideteker at 10:27 PM on May 23


Perhaps it would be better not to criticise matthowie on a topic you know nothing about?
posted by Olli at 5:58 AM on May 24, 2007


You could almost do the username determination automatically, if you used Flickr's Authentication services. Unfortunately, even at the lowest auth level MeFi would end up with read access to your private photos which is a bit too much.
posted by smackfu at 6:00 AM on May 24, 2007


So this image exploit ... can it be achieved retrospectively?
posted by strawberryviagra at 6:29 AM on May 24, 2007


Now everyone click on my profile. The photos therein will change your life.

My life, she is--how you say--changed forever!

So this image exploit ... can it be achieved retrospectively?


Exactly what I was thinking last night!
posted by CitrusFreak12 at 6:51 AM on May 24, 2007


I was in your head, thinking your thoughts.
posted by strawberryviagra at 6:58 AM on May 24, 2007


Mr. Rogers needs to start taking his meds again.
posted by Dave Faris at 7:03 AM on May 24, 2007


For some reason, I can't see the flickr pics on any profile but mine. Since yesterday I have let several profiles load and load for several minutes to no avail. I see this at the bottom of the page: "Last 6 images uploaded to www.flickr.com" but they never show up. Any idea?
posted by bru at 7:06 AM on May 24, 2007


I love this! Thanks, Matt!
posted by Lynsey at 9:20 AM on May 24, 2007


Please read the threads Tuwa linked to, as well as the original img-ban thread I linked to. I have been calm and patient in the past and it's gotten me nowhere.

Time for Plan B(elligerence)? 'Cuz that always works.

But, if it helps, imagine Mr. Rogers reading every one of my comments in this thread.

Yeah, because I'm the fragile one in this MeTa who's overreacting and needs to calm down.
posted by Alvy Ampersand at 9:56 AM on May 24, 2007


Sweet feature. Thanks.
posted by vagabond at 10:17 AM on May 24, 2007


Also, is there a link to http://www.metafilter.com/recentphotos.mefi on the front page that I'm missing? If there isn't, could there be?
posted by Lynsey at 10:56 AM on May 24, 2007


smackfu: Just create another Flickr account, upload six photos to it, and use that in your profile rather than your normal one.

Thanks for the tip. That's what I did.
posted by terrapin at 11:44 AM on May 24, 2007


I'm disappointed anonymous hasn't taken the option to add photos to their profile.
posted by Abiezer at 2:44 PM on May 24, 2007


This feature rocks. Thanks, matt. I'm looking forward to the del.icio.us/twitter/etc hotness that's in the mail.
posted by mullingitover at 3:10 PM on May 24, 2007


What the F*** is twitter by the way ?
I was offline that month i think.
posted by sgt.serenity at 5:33 PM on May 24, 2007


Yeah, I want to know what twitter is too and I can't be bothered to search for it myself. Oh wait, yes I can. Or, um, maybe I'm still confused. Yeah, I have no idea either. If I can't figure out from the Web site what a Web "thing" does, I probably don't want to use it.

Ooh, look, something shiny!

*rushes off*
posted by dg at 11:11 PM on May 24, 2007


Oh my word, it's total bollocks isn't it ?
posted by sgt.serenity at 5:43 AM on May 25, 2007


It does sound like quonsar is going over the top.

the whole point of being quonsar is to go over the top.
posted by quonsar at 5:58 AM on May 25, 2007 [1 favorite]


That 100 most recent pics page, does it only show one pic per user? One of my pictures seems to have disappeared now I've uploaded a new one.
posted by MrMustard at 6:24 AM on May 25, 2007


Just so, MrMustard. It's really the first photo in the stream of the 100 users who have most recently uploaded a photo.
posted by cortex (staff) at 6:34 AM on May 25, 2007


sgt.serenity: "What the F*** is twitter by the way? I was offline that month i think."

Are you also unfamiliar with Google?
posted by Plutor at 7:32 AM on May 25, 2007


I have been calm and patient in the past and it's gotten me nowhere.

"I asked nicely, and Matt said no. That justifies my temper tantrum."

What I don't understand is, I see your name frequently in the meet-up threads. If I behaved like a self-entitled asshole on a regular basis, I think I'd be ashamed to show my face at a meet-up. And likewise, if I attended meet-ups regularly, I think I'd be less inclined to behave like an asshole on the site. Yet you juggle both.
posted by cribcage at 7:49 AM on May 25, 2007


Don't be too hard on him. It's easy to get carried away in these threads, especially when it seems like everyone is ganging up on you, and telling you that you're an idiot.
posted by Dave Faris at 8:18 AM on May 25, 2007


Just so, MrMustard.

Thanks for the clarification, cortex.
posted by MrMustard at 1:52 PM on May 25, 2007


Somehow I missed the party on this one. This is supercool.

While you're adding all of those widgets, howbout putting librarything on the list?
posted by roll truck roll at 5:20 PM on May 25, 2007


It should be noted that the photos must have privacy settings set to "Anyone".
posted by jaronson at 12:23 PM on May 26, 2007


At least now I'm starting to get some information about it, whether or not it is imparted with nastiness. I am not above doing my homework, so I will read the links provided and do my best to understand the exploit. I still cannot understand how if this is such a well-known horrible thing the entire internet has not been levelled by it, though.

This is a community -- very few communities react well to someone loudly shouting about a problem they don't understand and are unwilling to learn about on their own. Nevertheless, let's give it a try, if only to see if you're full of shit about intending to be productive in this thread.

Put simply, XSS issues allow malicious users to trigger unitended behaviors when other users do normal actions like requesting a page. In the example of an image tag, merely requesting a remote image could cause a script to be executed, which could do things like (for one simple example) providing your MeFi password to the attacker's remote site.

It's just plain irresponsible for any community site owner to permit even a single known XSS issue to go unresolved -- it's not just a threat to MeFi, in this case, but could leave the door open to chained attacks on other sites, or attacks based on the fact that many people use the same password on more than one site, with the same username.

You claim to want to host all of your own content in a decentralized way on your own server. If this is the case, and you don't even have a basic understanding of what an XSS issue is, let alone what it's capable of causing, then you're not qualified to be really be hosting your own applications.

The truth of the matter is, MetaFilter is a centralized community site for sharing and providing feedback around media created by its members. Just like Flickr. If Flickr is so fundamentally upsetting to you, you will almost certainly eventually object to MetaFilter, and should probably leave now and start your own site to host all of your own conversations where you can be a tyrant about which sources of external photos are permmitted.

(Just, please, if you do so, do it by publishing static web pages. We don't need someone who knows nothing about server security hosting his own applications on a public-facing web server.)

And finally, as quonsar said,
when all the computing power is in the hands of the few, all the information is controlled by the few, to the detriment of the many
When you argue for the requirement that people be familiar with all the intricacies of HTML and servers hosting one's own applications on a domain, just to put content on the web, you are arguing for all the computing power to be in the hands of the few. Requiring advanced technical knowledge just to participate in community online is an outrageously high barrier, as you yourself have demonstrated through your ignorance. Saying "you need to learn to be a web geek to communicate on the web" is nothing less than unbridled egotism and is the kind of thing technologists do to amplify and exacerbate the barriers to people of new social groups and classes getting the most of the web.

Though your repeated attacks on a straw yuppie (really? attacking yuppies? isn't it about 20 years late for that?) reveal that you're clearly not serious about the issues you've raised, I hope you can see that you're not just ignorant about these issues, you're also a hypocrite.

Finally: It's just a photo link in your profile on a goddamned website. Shouldn't you be out hunting those who are young, upwardly mobile, and professional?
posted by anildash at 9:03 PM on May 27, 2007


Heh. I don't often agree with much anildash says, but that up there is good stuff. Plus, if you want to hunt yuppies, I recommend a crossbow for accuracy, stealth and range in the suburbs.
posted by dg at 3:53 PM on May 28, 2007


The 100 most recent photos page appears to be bust at present. I'm getting a "Connection Timeout" error when I go there.
posted by MrMustard at 6:21 AM on May 29, 2007


Unfortunately, this page was a massive resource hog and we took it down.

Aw, nuts.
posted by Alvy Ampersand at 9:21 PM on May 29, 2007


That's a real shame. How about showing the last 50? Or 25?
posted by MrMustard at 11:24 PM on May 29, 2007


And if that can't be done, you may want to remove the link from the sidebar.
posted by MrMustard at 9:40 AM on May 30, 2007


Flickr loves you!
posted by Eideteker at 8:40 AM on June 4, 2007


Recent Flickr Photos by MeFites is back, updated nightly.
posted by pb (staff) at 5:16 PM on June 4, 2007


« Older Moderation in moderating   |   Tell me jokes! Newer »

You are not logged in, either login or create an account to post comments