Oh, fuck. That said "from the span tag" when I previewed it, with the word "span" in angle brackets. It's gone now, because though I typed the entity names in the new-thread form, and the preview page showed them, the post engine turned them into literal less-than and greater-than characters. Nuts.
posted by nicwolff at 4:47 PM on December 20, 2001

This happened to me a couple of days ago with title attributes. The act of previewing the post stripped off the quotes, so only the first word showed on mouseover.

On second thought, I bet you have to preview *twice* for it to kick in. I seem to recall previewing, making some changes, previewing again, then posting.
posted by gleuschk at 5:04 PM on December 20, 2001

Not allowing a poster to change the background of the entire page seems like a positive feature, not a bug. (unless there's something I'm not picking up here)
posted by skwm at 5:17 PM on December 20, 2001

The tag was to change the background of an image to white, not the whole page. Instead, the image background ended up all blecherous and transparent.
posted by youhas at 5:30 PM on December 20, 2001

Jeez, I have to go out and buy a $600 piece of software to do something in five minutes that CSS would let me do in five seconds?

Actually, though, the bug I'm reporting isn't the filtering of the style attribute, it's the fact that Preview and Post are rendering the comment differently, which is not very user-friendly.

And my real point is that the same code that renders the Post HTML from the URL-encoded form data should be called to render the Preview.
posted by nicwolff at 6:45 PM on December 20, 2001

Posting images shouldn't be a common thing anyway, should it?
posted by timothompson at 7:20 PM on December 20, 2001

Posting images shouldn't be a common thing anyway, should it?

I tend to agree, in general. The topic has been promoted to a thread by owillis here if you have an comment about it.
posted by stavrosthewonderchicken at 8:15 PM on December 20, 2001

Posting images shouldn't be a common thing anyway, should it?

All the more reason to do it right when it's done.
posted by markpasc at 8:19 PM on December 20, 2001

And my real point is that the same code that renders the Post HTML from the URL-encoded form data should be called to render the Preview.

This bugs me too. For instance,I'm afraid to use <blockquote>, because in preview it looks like it breaks the page, even though I understand everything turns out alright once you post it.
posted by mattpfeff at 8:24 PM on December 20, 2001

Using CSS, a few users here showed you can hack an entire page, setting body copy to 250px purple fonts, you can wipe out graphics, etc.

I had to lessen some of the open security holes (there are still many more to tackle), so style, embed, script, and link tags are out now.

I only run the code filter on submission, but could do it during preview as well.
posted by mathowie (staff) at 10:27 PM on December 20, 2001

But there's a difference between the style element and the style attribute, which is what Nic is asking about (right?). I think it's a shame to (essentially) turn off CSS altogther, as opposed to limiting the extent of its effects. The style attribute is limited in scope to the element it's in. A malicious user could mess up a large part of a page by adding CSS to an unclosed DIV, I suppose, but he/she could do that without the CSS anyway.
posted by rodii at 10:34 PM on December 20, 2001

rodii, you have to kill both the style element and the style attribute.

Otherwise, people can do something like this:

<b style="hack friendly code here">foo</b>

Remember that fiasco Kottke had with his comment system? That was after he took out the style tag, people were hacking the site using just the style element.
posted by mathowie (staff) at 10:54 PM on December 20, 2001

rodii: style="margin-bottom: -1000px"
posted by holloway at 3:22 AM on December 21, 2001

rodii: The style attribute is limited in scope to the element it's in.

Let us not forget absolute positioning, among other things.
posted by gleemax at 8:04 AM on December 21, 2001

Point taken. Still, it's a shame to lose so much expressive power because J. Random Butthead can't keep his CSS zipped.
posted by rodii at 6:21 PM on December 21, 2001

Well, it should be possible to let some style declarations through (background-color, color, etc.) and filter others (padding, margin, position, etc.), but the more complex the system is the more loopholes there will be.
posted by Nothing at 11:02 PM on December 21, 2001

Wouldn't the bigger problem be the server resources that would take?
posted by gleemax at 1:58 AM on December 22, 2001

No.
posted by holloway at 2:37 PM on December 26, 2001

You are not logged in, either login or create an account to post comments