Ex-Image Formatting November 18, 2006 4:21 PM Subscribe
Since you're already stripping out the image tag code (like on this post), why not either change it to a link or drop the whole line entirely? The code that's left is unsightly.
[photo of someone dental flossing his ears]
posted by pyramid termite at 4:32 PM on November 18, 2006
posted by pyramid termite at 4:32 PM on November 18, 2006
Hi!
posted by Ceiling Cat at 4:36 PM on November 18, 2006
posted by Ceiling Cat at 4:36 PM on November 18, 2006
I think the current filtering code was a quick hack in response to mock's XSS demo, and that Matt is working on proper parsing code.
posted by Rhomboid at 4:54 PM on November 18, 2006
posted by Rhomboid at 4:54 PM on November 18, 2006
Just hyperlink 'em. Using the FF extension Text to Image totally rocks and solves the problem.
posted by moonbird at 4:57 PM on November 18, 2006
posted by moonbird at 4:57 PM on November 18, 2006
Um, you're missing the point of this post entirely.
posted by Rhomboid at 4:59 PM on November 18, 2006
posted by Rhomboid at 4:59 PM on November 18, 2006
Problem is that IMG tag works in Live Preview, but not in normal preview or a post.
posted by smackfu at 5:20 PM on November 18, 2006
posted by smackfu at 5:20 PM on November 18, 2006
yeah, it was just a quick xss fix. I'll clean it up.
Also, if anyone has an idea how to filter the img tag from the live preview, that'd be good.
posted by mathowie (staff) at 5:21 PM on November 18, 2006
Also, if anyone has an idea how to filter the img tag from the live preview, that'd be good.
posted by mathowie (staff) at 5:21 PM on November 18, 2006
Problem is that IMG tag works in Live Preview, but not in normal preview or a post.
Live preview doesn't do any filtering at all. You can do all sorts of nastiness there (< SCRIPT>, CSS styles, etc) that will be filtered out when you post. So the IMG tag isn't unique at all there.
posted by Rhomboid at 5:34 PM on November 18, 2006
Live preview doesn't do any filtering at all. You can do all sorts of nastiness there (< SCRIPT>, CSS styles, etc) that will be filtered out when you post. So the IMG tag isn't unique at all there.
posted by Rhomboid at 5:34 PM on November 18, 2006
Also, if anyone has an idea how to filter the img tag from the live preview, that'd be good.
You could try instead of this:
posted by Rhomboid at 5:50 PM on November 18, 2006
You could try instead of this:
if(isIE){ getEl("prevDiv").innerHTML="<div>"+getEl("comment").value.replace(/(\n|\r)/g,'<br/>').replace(/(<br\/><br\/>)/g,'<br/>')+"</div>" }Something like this:
else{ getEl("prevDiv").innerHTML="<div>"+getEl("comment").value.replace(/(\n|\r)/g,'<br>')+"</div>" }
html="<div>"+getEl("comment").value.replace(/(\n|\r)/g,'<br>').replace(/<\s*img[^>]+>/gi, "[IMG tag disabled]");This is far from bulletproof in that it does tag replacement with a RE but it doesn't matter too much since it's just for preview, the real filtering is still done server-side.
getEl("prevDiv").innerHTML = isIE ? html.replace(/(<br\/><br\/>)/g,'<br/>') : html;
posted by Rhomboid at 5:50 PM on November 18, 2006
I know I missed it when it happened but why did the img tag get axed in the first place? Just wondering.
posted by iconjack at 6:27 PM on November 18, 2006
posted by iconjack at 6:27 PM on November 18, 2006
We were having too much fun with it, so Matt took it away.
posted by interrobang at 6:30 PM on November 18, 2006
posted by interrobang at 6:30 PM on November 18, 2006
It's in his desk drawer, next to our yo-yos, science fiction comic books, and wind-up chattering teeth. If you want to help me get it back, meet me behind the school at 3 o'clock.
posted by interrobang at 6:32 PM on November 18, 2006
posted by interrobang at 6:32 PM on November 18, 2006
I know I missed it when it happened but why did the img tag get axed in the first place? Just wondering.
Good question! Why don't you make a MetaTalk post about it?
posted by timeistight at 6:38 PM on November 18, 2006 [1 favorite]
Good question! Why don't you make a MetaTalk post about it?
posted by timeistight at 6:38 PM on November 18, 2006 [1 favorite]
No, no, interrobang. It's because crunchland's bitching finally worked. Take it as a lesson: if you bitch long enough, you will win. But you have to be really committed. Try it out!
posted by dame at 6:43 PM on November 18, 2006
posted by dame at 6:43 PM on November 18, 2006
Can someone explain it to me what EXACTLY we are protecting ourselves from by blocking images (besides, you know, the guy fucking a chicken)?
That's about it, right?
posted by taosbat at 7:10 PM on November 18, 2006
That's about it, right?
posted by taosbat at 7:10 PM on November 18, 2006
That was the excuse, yeah.
posted by interrobang at 7:15 PM on November 18, 2006
posted by interrobang at 7:15 PM on November 18, 2006
God, I miss that dancing squirrel playing a harmonica.
posted by Alvy Ampersand at 7:22 PM on November 18, 2006
posted by Alvy Ampersand at 7:22 PM on November 18, 2006
Also, since this thread's original issue has been adressed and I'm pretty sure another Yeah Pix!/Nay Pix! thread isn't all that necessary, let's discuss this thread.
An interesting and heartbreaking story, the thread is marred by the usual sanctimony and indignance pissing contests.
posted by Alvy Ampersand at 8:14 PM on November 18, 2006
An interesting and heartbreaking story, the thread is marred by the usual sanctimony and indignance pissing contests.
posted by Alvy Ampersand at 8:14 PM on November 18, 2006
Self righteousness is a defining feature of metafilter. Fistulas are less entertaining.
posted by econous at 8:23 PM on November 18, 2006
posted by econous at 8:23 PM on November 18, 2006
Live preview doesn't do any filtering at all.
and thus, though i didn't think it was possible, becomes even less live and less a preview. mefi is such grand entertainment sometimes!
posted by quonsar at 8:46 PM on November 18, 2006
and thus, though i didn't think it was possible, becomes even less live and less a preview. mefi is such grand entertainment sometimes!
posted by quonsar at 8:46 PM on November 18, 2006
Since you're already stripping out the image tag code (like on this post), why not either change it to a link or drop the whole line entirely? The code that's left is unsightly.
Ok, I'll get right on that. Oh, wait, you weren't addressing me. Hmm, I guess I somehow must have stumbled upon a private email exchange... No, wait, it's on the front page of MeTa. Hmm, must be that fancy new 2nd person perspective that everyone is talking about on the intertubes.
posted by blue_beetle at 8:51 PM on November 18, 2006
Ok, I'll get right on that. Oh, wait, you weren't addressing me. Hmm, I guess I somehow must have stumbled upon a private email exchange... No, wait, it's on the front page of MeTa. Hmm, must be that fancy new 2nd person perspective that everyone is talking about on the intertubes.
posted by blue_beetle at 8:51 PM on November 18, 2006
That comment of mathowie's you linked to is completely wrong. Specifically, that php file grabs any and all cookie data from the metafilter user, since the script is run within an image tag on the metafilter.com site is totally incorrect. The browser presents the cookies of the site the image is hosted AT, not where it was linked FROM. If you control http://yourserver.com/omg/haha-funnier-than-FARK.jpg then the only cookies you see in the request are the ones set by yourserver.com. I really hope we didn't go through this whole ordeal because of THAT misconception.
posted by Rhomboid at 9:05 PM on November 18, 2006
posted by Rhomboid at 9:05 PM on November 18, 2006
I really hope we didn't go through this whole ordeal because of THAT misconception.
I thought we went through it because you posted an image that made anyone who saw it favorite your comment.
posted by smackfu at 9:31 PM on November 18, 2006
I thought we went through it because you posted an image that made anyone who saw it favorite your comment.
posted by smackfu at 9:31 PM on November 18, 2006
Waitaminute, someone here fucked a chicken?
posted by homunculus at 9:38 PM on November 18, 2006
posted by homunculus at 9:38 PM on November 18, 2006
mathowie can't regex his way out of a paper bag — we can't use the lowercase letters {s,r,c} concatenated together in that order, in a comment or post on this here community weblog. It's a good thing those three letters don't appear in that order with any frequency in the english language.
If we're going to not have inline images (which is okay by me), <img> tags should be getting transformed server-side into something useful, not mangled incompetently. Maybe something like:
posted by blasdelf at 10:07 PM on November 18, 2006
If we're going to not have inline images (which is okay by me), <img> tags should be getting transformed server-side into something useful, not mangled incompetently. Maybe something like:
<IMG SRC="http://goatse.cx/hello.jpg" title="gaping asshole">turns into
<div class="image">with a little bit of differentiating style applied to the image class in the css. In the absence of a title tag, the link text would be the image URL. Having them in their own div would make it super retardedly easy to do inlining in greasemonkey.
<IMG SRC="http://metafilter.com/littleImageIcon.png">
<a href="http://goatse.cx/hello.jpg">gaping asshole</a>
</div>
posted by blasdelf at 10:07 PM on November 18, 2006
I thought we went through it because you posted an image that made anyone who saw it favorite your comment.
Yes, and Matt subsequently fixed that problem the same day by switching from GET to POST. That doesn't give people an excuse to parade around untrue myths about how cookies work.
posted by Rhomboid at 10:37 PM on November 18, 2006 [1 favorite]
Yes, and Matt subsequently fixed that problem the same day by switching from GET to POST. That doesn't give people an excuse to parade around untrue myths about how cookies work.
posted by Rhomboid at 10:37 PM on November 18, 2006 [1 favorite]
Woah woah woah. I thought the problem was people doing something like this:
<img ="http://www.metafilter.com/favorite.mefi?comment=360647">
It used to be that if someone did something like that, every person who viewed the page would favorite comment 360647. That was the problem, but now it's fixed.
Still I'm not sure I really want the image tag back, there were a lot of threads I think people would have just shoved images into that otherwise ended up having a conversation, for better or for worse.
posted by delmoi at 11:01 PM on November 18, 2006
<img ="http://www.metafilter.com/favorite.mefi?comment=360647">
It used to be that if someone did something like that, every person who viewed the page would favorite comment 360647. That was the problem, but now it's fixed.
Still I'm not sure I really want the image tag back, there were a lot of threads I think people would have just shoved images into that otherwise ended up having a conversation, for better or for worse.
posted by delmoi at 11:01 PM on November 18, 2006
mathowie can't regex his way out of a paper bag — we can't use the lowercase letters {s,r,c} concatenated together in that order
Woah, you're right.
posted by delmoi at 11:02 PM on November 18, 2006
Woah, you're right.
posted by delmoi at 11:02 PM on November 18, 2006
You can still say src with the help of your friend U+200B.
posted by Rhomboid at 11:21 PM on November 18, 2006
posted by Rhomboid at 11:21 PM on November 18, 2006
Y'all shore dew tawk funny...
'N how come there ain't no pikchers here on Metrofilter no more?
posted by flapjax at midnite at 12:00 AM on November 19, 2006
'N how come there ain't no pikchers here on Metrofilter no more?
posted by flapjax at midnite at 12:00 AM on November 19, 2006
It's in his desk drawer, next to our yo-yos, science fiction comic books, and wind-up chattering teeth.
So that's where my yo-yos, science fiction comic books, and wind-up chattering teeth went! Damn you, mathowie!
*weeps bitter tears, vows revenge*
posted by languagehat at 6:29 AM on November 19, 2006
So that's where my yo-yos, science fiction comic books, and wind-up chattering teeth went! Damn you, mathowie!
*weeps bitter tears, vows revenge*
posted by languagehat at 6:29 AM on November 19, 2006
mathowie can't regex his way out of a paper bag
fricken hilarious...
posted by quonsar at 7:14 AM on November 19, 2006
fricken hilarious...
posted by quonsar at 7:14 AM on November 19, 2006
Oh, this must be the annual quonsar chest-thump about how he'd use his skillz to code up a real website, if only Matt would stop making him visit this one.
posted by Mid at 8:47 AM on November 19, 2006
posted by Mid at 8:47 AM on November 19, 2006
Perhaps a better way to deal with the img tag is to automatically replace the image location with a metafilter hosted jpg that explains why IMG tags are not allowed.
At least it might cut down on the number of img-related threads in MetaTalk.
posted by tkolar at 9:33 AM on November 19, 2006
At least it might cut down on the number of img-related threads in MetaTalk.
posted by tkolar at 9:33 AM on November 19, 2006
holy shit, we really can't put s r c together. that's nuts.
posted by shmegegge at 3:41 PM on November 19, 2006
posted by shmegegge at 3:41 PM on November 19, 2006
there goes my post about detroit rock and roll in the 60s, damn it ...
posted by pyramid termite at 3:42 PM on November 19, 2006
posted by pyramid termite at 3:42 PM on November 19, 2006
THE JOYS OF THE LETTER R IN UNICODE:
{r, ŕ, ŗ, ř, ʀ, ʁ, ɼ, ɺ, ɹ} — The standard latin set
{Ꭱ, Ꮢ} — R-like charachters in Cherokee
{ᴙ, ᴚ, ᵣ, ᶉ} — IPA
{ṙ, ṛ, ṝ, ṟ} — Latin Extended
{ℛ, ℜ} — Letter-like forms (the blackletter one is ℜ)
{⒭, ⓡ} — enclosed alphanumerics
{𝐫, 𝑟, 𝒓, 𝓇, 𝓻, 𝔯, 𝕣, 𝖗, 𝗋, 𝗿, 𝘳, 𝙧, 𝚛} mathematical alphanumerics
(has a lot of small r characters, but font presence is unlikely)
{r} — fullwidth (used with CJK)
<img sṛc="http://goatse.cx/hello.jpg">
posted by blasdelf at 6:12 PM on November 19, 2006
{r, ŕ, ŗ, ř, ʀ, ʁ, ɼ, ɺ, ɹ} — The standard latin set
{Ꭱ, Ꮢ} — R-like charachters in Cherokee
{ᴙ, ᴚ, ᵣ, ᶉ} — IPA
{ṙ, ṛ, ṝ, ṟ} — Latin Extended
{ℛ, ℜ} — Letter-like forms (the blackletter one is ℜ)
{⒭, ⓡ} — enclosed alphanumerics
{𝐫, 𝑟, 𝒓, 𝓇, 𝓻, 𝔯, 𝕣, 𝖗, 𝗋, 𝗿, 𝘳, 𝙧, 𝚛} mathematical alphanumerics
(has a lot of small r characters, but font presence is unlikely)
{r} — fullwidth (used with CJK)
<img sṛc="http://goatse.cx/hello.jpg">
posted by blasdelf at 6:12 PM on November 19, 2006
gah! I meant to say that the blackletter one is {& real ;} but the site transforms {& amp ;} into a real &.
posted by blasdelf at 6:15 PM on November 19, 2006
posted by blasdelf at 6:15 PM on November 19, 2006
&
ℜ
src
U+200B is where it's at. No fake r's here.
posted by Rhomboid at 6:26 PM on November 19, 2006
ℜ
src
U+200B is where it's at. No fake r's here.
posted by Rhomboid at 6:26 PM on November 19, 2006
ZERO WIDTH SPACE [] (U+200B)
On my mac, your beloved U+200B prints as a not-quite-full-width space in Verdana, so it doesn't work
Fortunately, there are a multitude of awesome characters in Unicode for our uses:
HAIR SPACE [ ] (U+200A)
NARROW NO-BREAK SPACE [ ] (U+202F)
ZERO WIDTH NO-BREAK SPACE [] (U+FEFF)
WORD JOINER [] (U+2060)
ZERO WIDTH JOINER [] (U+200D)
ZERO WIDTH NON-JOINER [] (U+200C)
LEFT-TO-RIGHT MARK [] (U+200E)
<img src="http://goatse.cx/hello.jpg">
posted by blasdelf at 9:16 PM on November 19, 2006
On my mac, your beloved U+200B prints as a not-quite-full-width space in Verdana, so it doesn't work
Fortunately, there are a multitude of awesome characters in Unicode for our uses:
HAIR SPACE [ ] (U+200A)
NARROW NO-BREAK SPACE [ ] (U+202F)
ZERO WIDTH NO-BREAK SPACE [] (U+FEFF)
WORD JOINER [] (U+2060)
ZERO WIDTH JOINER [] (U+200D)
ZERO WIDTH NON-JOINER [] (U+200C)
LEFT-TO-RIGHT MARK [] (U+200E)
<img src="http://goatse.cx/hello.jpg">
posted by blasdelf at 9:16 PM on November 19, 2006
So much for Quonsar's leet mad programming skillz. His program is twice as long as it needed to be.
10 GOTO 10 would have sufficed.
posted by crunchland at 9:36 PM on November 19, 2006
10 GOTO 10 would have sufficed.
posted by crunchland at 9:36 PM on November 19, 2006
Putting a cap in Quonsar has always been a dream of mine.
posted by crunchland at 4:20 AM on November 21, 2006
posted by crunchland at 4:20 AM on November 21, 2006
You are not logged in, either login or create an account to post comments
posted by econous at 4:29 PM on November 18, 2006