Matt, we know why they were locked down, and I think most of us agree that keeping the site secure is more important than pretty, pretty ponies. I'd just like to know if you'll consider putting the idea on the back burner: Setting up some sort of secure way of allowing customized user pages again.

There are certainly more important, more popular, and more useful things for you to work on. All I'm asking is that you'll put it on the to-do list, even if it's way down at the bottom.
posted by Gator at 11:50 AM on January 6, 2006

Ooh, yeah, the footer is stomping all over your pretty alligator photo.
posted by Plutor at 12:12 PM on January 6, 2006

It's pretty safe to let people specify their own background image.
posted by smackfu at 12:16 PM on January 6, 2006

Perhaps Matt could simply provide a field for the URL of an external CSS file, to be hosted elsewhere. You could then use classes and IDs from that file in your profile page to style it.
posted by kindall at 12:40 PM on January 6, 2006

It's pretty safe to let people specify their own background image.

You're sure about that?
posted by Rothko at 12:43 PM on January 6, 2006

Because this has worked so well on Myspace.
posted by S.C. at 12:49 PM on January 6, 2006

S.C. writes "Because this has worked so well on Myspace."

C'mon; people have done some really cool stuff with their profile pages here.
posted by mr_roboto at 12:52 PM on January 6, 2006

You're sure about that?

We can already inline images, so it's not any riskier.
posted by smackfu at 1:16 PM on January 6, 2006

Hmm, your right an external CSS file wouldn't be able to interact with the DOM or cookies, right?

On the other hand, that CSS file might get corrupted or go down.

Another option might be to host the files on a whole other server. like "metafilter-css.com" or something. I think myspace does something like this.

If anyone is going to get attacked, it's myspace with like 30 million users, and they seem to be able to do it (although there was a hack in the past, it seems to be fixed). Whatever they're doing should work here.
posted by delmoi at 1:44 PM on January 6, 2006

Rothko, also that vulnerability has been patched already.
posted by delmoi at 1:44 PM on January 6, 2006

Rothko, also that vulnerability has been patched already

You mean a patch is available. That statement does not imply that the patch is applied on all machines. I love my partner's parents but until I installed antivirus software on their computers they were using the Internet "naked".

Given the commercial self-links that take place here (with increasing frequency) it's takes no large stretch of the imagination to see a $5 spammer use his or her account to post an image that would quietly infect lazy Windows users' computers.
posted by Rothko at 1:53 PM on January 6, 2006

Rothko: so what? We still allow inline images, which would be viewed by many more people then an image on a user page.
posted by delmoi at 1:59 PM on January 6, 2006

For that matter, we still allow <A HREF> too, even though an unscrupulous person could create a link to a site that installs malware on a computer that has no protection against such assaults...Matt can only do so much to protect the browsing public from harm, after all.
posted by Gator at 2:07 PM on January 6, 2006

Matt can only do so much to protect the browsing public from harm, after all.

I don't dispute that, but saying it is safe to put images inline is patently untrue. In any case, I would prefer Matt focus on what he can do to keep his server safe, rather than end users.
posted by Rothko at 2:48 PM on January 6, 2006

Did someone say it was safe to put images inline?
posted by cortex at 2:52 PM on January 6, 2006

And agreed, server security is the key thing.
posted by cortex at 2:52 PM on January 6, 2006

I think the best approach would be to give each user a bit of space - say 1 meg - to upload photos (and only photos) that they want to use on their account. It can be virus and type checked for safety. Allow an entry box just for css, and run a check to make sure there are no external links in the css, but only links to the preset images. You don't need to pre-designate the space for all users, just create a folder and give it a maximum size through the ftp setup. As long as the server has room for the images that do get loaded, all becomes peachy.
posted by mystyk at 3:42 PM on January 6, 2006

myprofile.exe.bat.pif(1)(1)(1)
posted by fire&wings at 3:43 PM on January 6, 2006

mystyk, at first glance I thought that said:
Allow an entry box just for ass
posted by matildaben at 3:53 PM on January 6, 2006

the problem is (I guess) that you can put javascript in CSS, and you can't do something as simple as blocking the "" tag there (or can you?). You can also link to offsite things.

Any javascript code put into the main DOM could read a users' cookies, and use those cookies to log on as that user, unless metafilter logons are only valid for a certan IP (and even then, if both the user and the attacker used the same proxy...)
posted by delmoi at 4:09 PM on January 6, 2006

I think the best approach would be to give each user a bit of space - say 1 meg - to upload photos (and only photos) that they want to use on their account.

Come now, Inline images around this place are to be tolerated, but not encouraged and given webspace for hosting.

(PS custom site-wide CSS for each user would be nice)
posted by Jimbob at 4:14 PM on January 6, 2006

I suggest that saying inline images are to be tolerated is more encouragement than they deserve.
posted by crunchland at 4:20 PM on January 6, 2006

the problem is (I guess) that you can put javascript in CSS, and you can't do something as simple as blocking the "" tag there (or can you?). You can also link to offsite things.

err, I meant the <script> tag.
posted by delmoi at 4:24 PM on January 6, 2006

If anyone is going to get attacked, it's myspace with like 30 million users, and they seem to be able to do it (although there was a hack in the past, it seems to be fixed). Whatever they're doing should work here.

XSS scripting vulnerabilities are found on myspace quite regularly. Their solution is to put a band-aid on the exploit-of-the-day by blocking the phrases they think are "bad" and caused the issue. The result is that it's quite frustrating to do anything there. typing #, for example, will display as .. You can't type unicode characters, nor can you use the &#xx; notation for escaping characters. Sometimes entire paragraphs of text are converted to .. because some regexp caught some random combination of words somewhere in your text.

It's generally not a good idea to let people enter anything they like into a form unescaped and then try to filter out the "bad stuff" later. It's possible to succeed with this approach, although I'd look to livejournal as an example of success, not myspace.

In my opinion, a good solution is a 'fill-in-the-blank' CSS form, in which the responses must match a limited set of choices, OR running the CSS through a parser which keeps an internal representation of the data, only storing what it understands, and then outputting its own version based on the internal representation. Although admittedly it's doubtful that someone's going to write an entire CSS parser so that a user can make his/her homepage purple.
posted by helios at 5:13 PM on January 6, 2006

How about some real features instead of Myspace garbage?
posted by cellphone at 8:51 PM on January 6, 2006

I want custom profiles back. It promotes individuality among other things.
posted by sjvilla79 at 5:35 PM on January 7, 2006

Does anyone know whether there's a way to exploit linking the stylesheet via link rel="stylesheet"? I didn't think that allowed javascript or html.
posted by smackfu at 7:52 PM on January 7, 2006

Yes, they are exploitable. Try it by making a test page and test css file. In your css, add something like:

background: url(javascript:alert('hey'))

and even if you link it via rel=stylesheet, you'll see the alert (in IE, that is).
posted by helios at 8:06 PM on January 7, 2006

Based on this comment, it seems that the <SCRIPT> and <STYLE> tags are filtered out; would it be possible to filter out any instance of "javascript" or "script" in the form submission? (You couldn't do that if the stylesheet were external, I don't think.)

Also in that thread, holloway offered to help with a parser.
posted by Gator at 5:20 AM on January 8, 2006

Thanks helios. That is depressing.
posted by smackfu at 9:37 AM on January 8, 2006

I have no fever-dreams, thank you very much.
posted by madman at 10:03 AM on January 8, 2006

Thanks for letting us know you're up-to-date on your shots, dude. ;)
posted by Gator at 10:06 AM on January 8, 2006

Based on this comment, it seems that the <SCRIPT> and <STYLE> tags are filtered out; would it be possible to filter out any instance of "javascript" or "script" in the form submission? (You couldn't do that if the stylesheet were external, I don't think.)

Just FYI, that's exactly one of the "band-aids" that myspace tried to prevent people from using script. turns out that IE parses the word javascript if you break it up into multiple lines.

oops!

this is interesting reading.
posted by helios at 8:42 PM on January 9, 2006

You are not logged in, either login or create an account to post comments