It's a measure of one's patience.
posted by carsonb at 9:25 PM on September 13, 2007

Nobody's figured out how to turn it into a security exploit.
posted by carsonb at 9:28 PM on September 13, 2007 [1 favorite]

it's bomb, man - even in iran they love to play with it everynowand then - even george likes to fool with it once in awhile but theykeep that top secret
posted by pyramid termite at 9:29 PM on September 13, 2007 [17 favorites]

Trippy.
posted by nasreddin at 9:32 PM on September 13, 2007

Because mathowie needed 20 bucks.
posted by carsonb at 9:36 PM on September 13, 2007 [4 favorites]

We like the shiny things.
posted by SassHat at 9:37 PM on September 13, 2007

No, IT'S GHEY!
posted by dhammond at 9:38 PM on September 13, 2007

We have very few ways to express ourselves visually anymore. We can't have images. We can't do anything fancy with html. Blink is okay. We need some kind of outlet.
posted by blacklite at 9:40 PM on September 13, 2007 [2 favorites]

But my own personal reason is just to piss you off. 
props
posted by carsonb at 9:41 PM on September 13, 2007

I'll trade you a blink tag for the img tag any day.
posted by caddis at 9:42 PM on September 13, 2007

We allow it because people who really care will go to about:config and switch it off at home.

Yes, people who really care about their browsing experience are using firefox.
posted by jacalata at 9:50 PM on September 13, 2007 [1 favorite]

blink is like cilantro.

Use it sparingly, no one wants to eat a whole bowl of freaking cilantro for breakfast.
posted by mathowie (staff) at 9:50 PM on September 13, 2007 [17 favorites]

$20SAIT.

No, it doesn't blink. I hate the blinking.
posted by Kwine at 9:50 PM on September 13, 2007

b1tr0t : what's a blink tag?

It's where everything reads like a Malcolm Gladwell article.
posted by Slack-a-gogo at 9:52 PM on September 13, 2007 [1 favorite]

blink is like cilantro.

Use it sparingly, no one wants to eat a whole bowl of freaking cilantro for breakfast.

And some of us find it completely disgusting no matter how small an amount there is. It tastes like soap!

I like the blink tag, though.
posted by interrobang at 9:55 PM on September 13, 2007 [1 favorite]

what's a blink tag?

$20, same as in town.

Obviously.
posted by timeistight at 9:57 PM on September 13, 2007 [2 favorites]

Blinkr.com -- it's Blink 2.0. With gradients! That blink!
posted by stavrosthewonderchicken at 9:58 PM on September 13, 2007 [1 favorite]

We'll see who blinks first.
posted by Blazecock Pileon at 10:01 PM on September 13, 2007

Because it's the future of web design.
posted by champthom at 10:02 PM on September 13, 2007

The painful part about the blink tag is when you print the page. You have to time it just right so that it prints when the text is on rather than off. I have to print it several times sometimes before I get a good one.
posted by George_Spiggott at 10:11 PM on September 13, 2007 [11 favorites]

marquee is much better
posted by ALongDecember at 10:12 PM on September 13, 2007

aw, they disabled it. that's it, logging out
posted by ALongDecember at 10:13 PM on September 13, 2007

We should bring back the big tag.
posted by tehloki at 10:25 PM on September 13, 2007

Yes, because the blink tag is a HUGE problem. It's so clearly overused that I can't read a single thread without being bombarded by blink tags.

STOP RUINING FUN!
posted by shmegegge at 10:50 PM on September 13, 2007 [4 favorites]

Use it sparingly, no one wants to eat a whole bowl of freaking cilantro for breakfast.

Chiang Mai. 3 weeks ago. Mrs. dreamsign and I are sitting across from a single diner, who starts talking to her waiter about cilantro, so, you know, we figure it was the please-god-no-freaking-cilantro conversation and thought nothing more of it. Till her bowl of cilantro arrived and she started grazing on it.

*shudder*

Not breakfast, though.
posted by dreamsign at 11:02 PM on September 13, 2007

Looking at this thread is like looking at a very special For Better or For Worse. (^ov^o)
posted by maxwelton at 11:30 PM on September 13, 2007 [4 favorites]

too bad Instant Messaging doesn't have a blink tag. OTOH, MetaFilter doesn't have emoticons.
posted by Cranberry at 11:45 PM on September 13, 2007

Thank you for starting a thread mentioning blink tags. There doesn't seem to be enough use of it. It's fun to see how people will/have use it.

Although I agree about the marque tag. Where's nobody when you need him/her/it?
posted by philomathoholic at 12:36 AM on September 14, 2007

Is there a reason that we're allowing the blink tag?

Because nobody likes you.
posted by dirigibleman at 1:24 AM on September 14, 2007 [1 favorite]

Is there a reason that we're allowing the blink tag?

BECAUSE IT'S THE ONLY AWESOME THING WE HAVE LEFT YOU UNRELENTING FUCKSTICK OF A FETID BASTARD GIMP WHORESON.
posted by loquacious at 1:31 AM on September 14, 2007 [16 favorites]

Use it sparingly, no one wants to eat a whole bowl of freaking cilantro for breakfast.

Except me, apparently! I fucking love the stuff in all of it's forms, especially the stems.

And I also like the >blink< tag, thank you very much. It's pretty innocent, unlike <big>… (which used to be nestable and fully legit)
posted by blasdelf at 2:42 AM on September 14, 2007

Just blink your eyes once a second and you won't notice it.
posted by Eideteker at 3:31 AM on September 14, 2007 [4 favorites]

Because we need a mechanism to distinguish who has an ounce of self-control, and who doesn't.
posted by Dave Faris at 3:48 AM on September 14, 2007 [4 favorites]

This artificial removal of features and demanding money to have them turned back on is not entirely unlike having to pay for mobile phone ring tones of songs you already own.
posted by public at 4:46 AM on September 14, 2007

The negative reinforcement for non-clever use of the blink tag is sufficiantly severe that I really, really don't think we need to worry about its over-use.

Seriously, you think Comic Sans has it rough? Somebody just did a callout on meTa about a single not very annoying use of blink.

I used to mentor a guy who was always trying to get me to use blink. Sometimes I even thought he was serious about it.
posted by lodurr at 6:04 AM on September 14, 2007

No way I could have ever predicted that when I opened this thread that half the people posting in it would use the blink tag. You guys slay me with your crazy craziness!
posted by iconomy at 6:09 AM on September 14, 2007 [6 favorites]

blink is like cilantro.

Use it sparingly, no one wants to eat a whole bowl of freaking cilantro for breakfast.

I can't possibly see how the blink tag makes this a better site. However, it's your site, so I'm not going to argue.
posted by Afroblanco at 6:27 AM on September 14, 2007

C:\>metafilter.exe█
posted by Avenger at 6:31 AM on September 14, 2007 [17 favorites]

I can't possibly see how the blink tag makes this a better site.

I suspect this is because you are humorless.
posted by OmieWise at 6:42 AM on September 14, 2007 [3 favorites]

This post is epilepsy inducing.









To save you the time,
Metafilter: epilepsy inducing.
posted by nursegracer at 7:00 AM on September 14, 2007

It takes practice, but if you catch the rhythm and blink synchronously, you won't notice the blink. Depending on your timing, you then have two options--to read the blinking comments as if they were not blinking, or avoid them altogether.
posted by weapons-grade pandemonium at 8:03 AM on September 14, 2007

Gone in the blink of an eye?
posted by carsonb at 8:14 AM on September 14, 2007

Ugh. This thread tastes like soap.
posted by Dave Faris at 8:24 AM on September 14, 2007 [1 favorite]

Because we need a mechanism to distinguish who has an ounce of self-control, and who doesn't.

You may have a point there Dave Faris
posted by Mister_A at 8:28 AM on September 14, 2007

Is there a reason that we're allowing the blink tag?

BECAUSE THIS THREAD WOULD BE USELESS WITHOUT THE BLINK TAG
posted by quonsar at 9:19 AM on September 14, 2007 [3 favorites]

I say we set up a donation pool for blink and noblink and buy the metafilter server a jacuzzi or whatever the kids like soaking in these days.
posted by cowbellemoo at 9:27 AM on September 14, 2007

Stupid question: I'm not seeing any blinking. I'm on IE6 at work. Do work filters block the blink tag, or am I just lucky?
posted by brain_drain at 9:42 AM on September 14, 2007

It's IE6. I don't see 'em either, at work.
posted by cortex (staff) at 9:49 AM on September 14, 2007

IE doesn't support the blink tag.
posted by iconomy at 9:50 AM on September 14, 2007

BECAUSE IT'S THE ONLY AWESOME THING WE HAVE LEFT

Images... sniff sniff...
Big tag... sniff sniff...

Truly the blink tag is the last remaining way to stick your dick in the mashed potatoes.
posted by scarabic at 9:55 AM on September 14, 2007 [1 favorite]

Just prior to clicking on this thread, I made a guess that fully 50% of the comments would be blinking. I was close.

Login: metafilter
Password: |

posted by quin at 10:07 AM on September 14, 2007

[nonblink] I'll lower the percentage by commenting every time someone uses the blink tag. Except for right now. Because right now it's time to go get chai and sammiches. [/nonblink]
posted by iconomy at 10:21 AM on September 14, 2007

I can't possibly see how the blink tag makes this a better site.

Obviously you've never been part of the dark silent circle that is baby on grown-up violence.

How many more must suffer to satisfy your humorlessness?!?
posted by Alvy Ampersand at 10:31 AM on September 14, 2007

Because it's FUCKING AWSOME.
posted by delmoi at 11:25 AM on September 14, 2007

delmoi misspelled AWESOME.

Ha Ha
posted by wendell at 11:39 AM on September 14, 2007

oy
posted by Lynsey at 11:54 AM on September 14, 2007

NOOOOOO!!!!
posted by Pollomacho at 12:02 PM on September 14, 2007

Wait to ruin it for everyone afrononblinka.
posted by jeffamaphone at 12:12 PM on September 14, 2007

Damnation, posting closes it.
posted by Pope Guilty at 12:29 PM on September 14, 2007

Arrgh! No colors and fonts for the pilers-on!
posted by yhbc at 1:01 PM on September 14, 2007

Oh shit!
posted by cortex (staff) at 1:03 PM on September 14, 2007 [5 favorites]

Off with his head!
posted by Dave Faris at 1:03 PM on September 14, 2007

DAMMIT!
posted by Alvy Ampersand at 1:05 PM on September 14, 2007

grrr
posted by iconomy at 1:20 PM on September 14, 2007

<b title=' 'style="font-family: comic sans ms; font-color: #00ff00;">Please, please, please work.</b>
posted by carsonb at 1:23 PM on September 14, 2007

<b title=' 'style="font-family: comic sans ms; font-color: #00ff00;">Please, please, please work.</b>

There it is.
posted by carsonb at 1:26 PM on September 14, 2007

Now, someone please tell me how to rig a URL to get custom contacts relationships.
posted by carsonb at 1:27 PM on September 14, 2007

For serial hmm?
posted by klangklangston at 1:29 PM on September 14, 2007

Oh, view source, you cruel mistress...
posted by klangklangston at 1:30 PM on September 14, 2007

CSS not stripped?

It's not stripped because it's 'malformed.' You run the one attribute right up against the closing ' of the previous attribute, which is poor form but apparently parsable.
posted by carsonb at 1:32 PM on September 14, 2007 [2 favorites]

Props to Gary, it's a good trick.
posted by carsonb at 1:34 PM on September 14, 2007

Holy shit, I think you can even get

• images

posted by carsonb at 1:40 PM on September 14, 2007 [16 favorites]

Oops, sorry.
posted by carsonb at 1:42 PM on September 14, 2007

Who's gonna be the first to bring this magic to the blue or green?
posted by inigo2 at 1:42 PM on September 14, 2007

Ha!
posted by Blazecock Pileon at 1:47 PM on September 14, 2007

Well, so much for html 'round these parts.
posted by carsonb at 1:48 PM on September 14, 2007

Hey, BP, you blocked my elephant!
posted by brain_drain at 1:49 PM on September 14, 2007

no put on blue or green.

cool beans
posted by Brandon Blatcher at 1:50 PM on September 14, 2007 [2 favorites]

I'm guessing the elephant was pissed about it.
posted by Blazecock Pileon at 1:50 PM on September 14, 2007

I'm working on a fix. Please no images.
posted by mathowie (staff) at 1:52 PM on September 14, 2007

lol

breakin' shit.
posted by carsonb at 1:53 PM on September 14, 2007

Oh, OK.
posted by carsonb at 1:53 PM on September 14, 2007

Oy, mathowie, I fudged something in a <ul&gt up there and broke the back end of my comment and front end of lodurr's.
posted by carsonb at 1:56 PM on September 14, 2007

Sweet cheebus, I can't get anything right. "<ul>"
posted by carsonb at 2:00 PM on September 14, 2007

I can't believe I'm fixing broken quotes on exploits so that the exploits don't get broken.
posted by cortex (staff) at 2:19 PM on September 14, 2007 [23 favorites]

☺Well this is fun.
posted by Rhomboid at 2:22 PM on September 14, 2007

Uh oh. Sry!
posted by Brandon Blatcher at 2:25 PM on September 14, 2007

Weak, in preview it was blinking green comic sans.
posted by 6550 at 2:25 PM on September 14, 2007

I'm done.
posted by 6550 at 2:27 PM on September 14, 2007

It's the end of a 90-minute golden age.
posted by brain_drain at 2:28 PM on September 14, 2007 [3 favorites]

☺Test
posted by Rhomboid at 2:34 PM on September 14, 2007 [11 favorites]

Again.

And again.
posted by cortex (staff) at 2:44 PM on September 14, 2007

Yet again.

Further.
posted by cortex (staff) at 2:45 PM on September 14, 2007 [2 favorites]

Yeah, I don't think we've actually plugged any holes yet; 6550 is just suffering from a vitamin win deficiency.
posted by cortex (staff) at 2:46 PM on September 14, 2007 [2 favorites]

Nice smiley face.
posted by Blazecock Pileon at 2:49 PM on September 14, 2007

I goofed up and included right:50px which makes it have too much width, obscuring the "New Post My Profile ..." line.
posted by Rhomboid at 2:51 PM on September 14, 2007

yeah, still working on this -- it's a tough fix.
posted by mathowie (staff) at 3:00 PM on September 14, 2007

Man, my recent activity page is so annoying to look at right now.
posted by dersins at 3:04 PM on September 14, 2007

Fuckface.
posted by dersins at 3:16 PM on September 14, 2007

OMG who put the smiley face on the mefi logo?
posted by dersins at 3:16 PM on September 14, 2007 [6 favorites]

Drat.
posted by Tehanu at 3:17 PM on September 14, 2007

Damn, I wish I knew enough to get in on the fun. But I'm enjoying watching the HTML burn redly in the late-summer light...
posted by languagehat at 3:18 PM on September 14, 2007

OMG who put the smiley face on the mefi logo?

And to think I can't even vandalize my own comment.
posted by Tehanu at 3:18 PM on September 14, 2007

I think it's fixed now, if you want to check, just try the preview, or go ahead and post I guess.
posted by mathowie (staff) at 3:32 PM on September 14, 2007

I'm breakin' out of my confines and heading into the margins.So much fun.
posted by Rhomboid at 3:43 PM on September 14, 2007 [18 favorites]

crap, the new code was crushing the CPU, so we're working on it again...
posted by mathowie (staff) at 3:52 PM on September 14, 2007

Nice.
posted by quin at 3:57 PM on September 14, 2007

Help, where am i?
posted by Brandon Blatcher at 3:58 PM on September 14, 2007

Whoa, brandon broke the rest of the page.

Wtf, I napped right through all the fun.
posted by ninjew at 3:58 PM on September 14, 2007

This is normal code, no style.
posted by Brandon Blatcher at 3:58 PM on September 14, 2007

Ok, not nice anymore.
posted by quin at 3:58 PM on September 14, 2007

*sigh*

And this is exactly why we can't have nice things.
posted by quin at 4:01 PM on September 14, 2007

Brandon, stop dude. I'm working on it.
posted by mathowie (staff) at 4:02 PM on September 14, 2007

Ok, apologies.
posted by Brandon Blatcher at 4:04 PM on September 14, 2007

GIANT QUONSAR TAGS GALORE
posted by quonsar at 4:12 PM on September 14, 2007

BAN EVERYONE
posted by quonsar at 4:13 PM on September 14, 2007 [3 favorites]

OMFG IT'S FUN! THERE'S FUCKING FUN BEING HAD ON MEFI! MATHOWIE IS GONNA HAVE A COW. FUN IS NOT PERMITTED ON THIS SITE.
posted by quonsar at 4:14 PM on September 14, 2007

U Fks
posted by Sk4n at 4:21 PM on September 14, 2007

OMG who put the smiley face on the mefi logo?

Crap, I thought you were joking around, and then scrolled up...awesome.
posted by inigo2 at 4:29 PM on September 14, 2007

Yes, rhombold, javascript alerts work, which is why I've spent the past few hours pulling my hair out trying to get this patched. It should be fixed within the hour.
posted by mathowie (staff) at 4:32 PM on September 14, 2007

Rhomboid you're such a card.
posted by dersins at 4:32 PM on September 14, 2007

Very well done, Rhomboid.
posted by Aloysius Bear at 4:35 PM on September 14, 2007

I think that smiley face should show up all the time now.

hello.
posted by blacklite at 4:51 PM on September 14, 2007 [1 favorite]

Yberz vcfhz qbybe fvg nzrg, pbafrpgrghe nqvcvfvpvat ryvg, frq qb rvhfzbq grzcbe vapvqvqhag hg ynober rg qbyber zntan nyvdhn. Hg ravz nq zvavz iravnz, dhvf abfgehq rkrepvgngvba hyynzpb ynobevf avfv hg nyvdhvc rk rn pbzzbqb pbafrdhng. Qhvf nhgr veher qbybe va erceruraqrevg va ibyhcgngr iryvg rffr pvyyhz qbyber rh shtvng ahyyn cnevnghe. Rkprcgrhe fvag bppnrpng phcvqngng aba cebvqrag, fhag va phycn dhv bssvpvn qrfrehag zbyyvg navz vq rfg ynobehz.
posted by Smart Dalek at 4:52 PM on September 14, 2007 [1 favorite]

pbtvgb retb QNLHZ
posted by cortex (staff) at 4:54 PM on September 14, 2007

My the colors are pretty. Can we have colors all the time please mathowie? huh? can we? huh?
posted by Cranberry at 4:57 PM on September 14, 2007

The problem is you can't allow just colors, if you allow inline styles then you open up an entire world of exploits as this thread has shown.

This is also a very good illustration of why BBcode came to exist. If you use tags like [b] that aren't actual HTML then you can ruthlessly filter all actual HTML (such as < and >) which makes this kind of attack much easier to deal with.
posted by Rhomboid at 5:01 PM on September 14, 2007

I'm serious. Catharsis. I feel so much better.

I'll stop now.
posted by blacklite at 5:09 PM on September 14, 2007

...

I can't resist experimenting. Apologies in advance.
posted by chasing at 5:32 PM on September 14, 2007

...

More.
posted by chasing at 5:34 PM on September 14, 2007

">...

Last one..
posted by chasing at 5:37 PM on September 14, 2007

THIS is why we can't have nice things
posted by Big_B at 5:38 PM on September 14, 2007

This is test one.

This is test two.

This is test three.

This is test four.
posted by delfuego at 5:38 PM on September 14, 2007

That last DIV ain't being stripped, mebee.
posted by chasing at 5:44 PM on September 14, 2007

That little red smiley face scares the crapola outta this here white boy. Most of the rest of this stuff doesn't show up in Safari Version 2.0.4 (419.3) under OS X 10.4.10, although Rhomboid's did, for whatever reason. None of the rest of these supposedly blinking things blink for me. Colors, yes, I think, but blinking, no.
posted by cgc373 at 5:51 PM on September 14, 2007

Encore!
posted by SmarterChild at 6:07 PM on September 14, 2007

This is a test WAA.
posted by delfuego at 6:13 PM on September 14, 2007

This is a test of this link style.
posted by delfuego at 6:14 PM on September 14, 2007

This thread is giving me a seizure.
posted by iamkimiam at 6:31 PM on September 14, 2007

I expect a full explanation of why I couldn't do the fun stuff after the fun stuff has been fixed. I may not be the sharpest knife in the drawer, but dammit, this is how we learn.
posted by yhbc at 6:41 PM on September 14, 2007

explanation: My friend Leonard Lin (randomfoo, upcoming, yahoo hack day) wrote some tag balancer code in late 2001, so that unclosed bold tags would get closing bold tags added to them. Then he wrote some code to exlude bad tags like embed and iframe, and went ahead and wrote code to filter out attributes like javascript: and style, stuff that can be used to mess up a site even back then.

Years have gone by and we've done a few tweaks to the code, but the code originally as written would look for new comments with and <text> in them. It would strip out the text in between (text, in this case) and call that a tag. If it saw a space following it, it considered anything else an attribute (like a href=yahoo.com where href is an attribute of a, the anchor element). It was looking for spaces after any remaining text to delimit another attribute.

So the gist of the problem was that today gary figured out that you could immediately follow allowed attributes with disallowed ones. So the text: title='style='color:red;' was being interpreted by the only attribute, and it was considered all part of the allowable "title" attribute. The real problem is you could follow with any attribute you wanted, including every crazy javascript exploit known to man, which is why this wasn't just about comic sans fonts, but really about the entire site's security for member accounts.

Jason Levine (delfuego) cleaned up the attribute filters so that the missing space didn't consider it all part of one attribute and solved the hack that was used today to do these sorts of display things.
posted by mathowie (staff) at 7:23 PM on September 14, 2007 [4 favorites]

So, for the other third-graders amongst us, I would have had to enter something else into the plaintext as it appears in "view source" which would have been stripped out by the old code?
posted by yhbc at 7:39 PM on September 14, 2007

Don't know why, but I feel the need to play with this.
posted by chasing at 7:55 PM on September 14, 2007

Hopefully, chaser, you're too late. :)
posted by delfuego at 8:12 PM on September 14, 2007

Part of what was kicking most of your asses when you were trying to pull the hack off based on observed source:

Mefi eats (or ate? I'll have to test this, now) pairs of ' characters that go through the stripper function, leaving one behind. So if you had ' twice in a row, you'd hit post and get just one ' on the other side.

So this:

title=''style'comic sans lol'

was failing for you because the ass end of your work came out as

title='style'comic sans lol'

or something similarly non-exploitatively broken. You'd just end up with the bare function of your root tag, be it bold or italic or blink or whatever.

Two workarounds: use actual text in the title:

title='dongs rofl'style='lkjlkjsldfjks'

Or double up your quote marks, so the pairs that get eaten down to single leave you with two left over:

title=''''style='font:assclown'

I figured the quote-halving thing out a while back when it kept fucking up some ascii art I was working on.
posted by cortex (staff) at 8:24 PM on September 14, 2007

And thanks, delfuego. You're awesome. And you're an edgecase—when MarkovFilter is supplied with a userid instead of a username, it fails on yours for reasons that become clear once you try it. Heh.
posted by cortex (staff) at 8:26 PM on September 14, 2007

So, wait. Are you guys telling me that this thread actually ended up making the site more secure?

By the very first comment, it was established that this was going to be a goofy wankfest. A pissing-elephant-thread, minus the <img> tag, if you will.

We can't have threads like that being productive. It sends the wrong kind of message, at this rate, in a couple of years someone is going to post an angry missive on how cortex's deletion reason was not scientifically sound enough, and 200 comments later, a $10 100Ker newbie will post the formula to cure cancer.
posted by quin at 9:26 PM on September 14, 2007 [1 favorite]

Well shoot, back to ascii art then...

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▄▄░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▄▄▄▄░░░▄▄▄▄░░░░░░░░░░░░██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██▀▀▀░░░▀▀██░░░░░░░▄███▄██░░░▄████▄░░░██▄████▄░░░▄███▄██░░▄▄█████▄░░░░░░░░░░░░░██▄████░░░▄████▄░░░███████░░░░░██░░░░░░██▀░░▀██░░██▀░░▀██░░██▀░░░██░░██▀░░▀██░░██▄▄▄▄░▀░░░░░░░░░░░░░██▀░░░░░░██▀░░▀██░░░░██░░░░░░░░██░░░░░░██░░░░██░░██░░░░██░░██░░░░██░░██░░░░██░░░▀▀▀▀██▄░░░░░░░░░░░░░██░░░░░░░██░░░░██░░░░██░░░░░░░░██░░░░░░▀██▄▄███░░▀██▄▄██▀░░██░░░░██░░▀██▄▄███░░█▄▄▄▄▄██░░░░░░░░░░░░░██░░░░░░░▀██▄▄██▀░░░░██░░░░░░░░██▄▄▄░░░░░▀▀▀░▀▀░░░░▀▀▀▀░░░░▀▀░░░░▀▀░░░▄▀▀▀░██░░░▀▀▀▀▀▀░░░░░░░░░░░░░░▀▀░░░░░░░░░▀▀▀▀░░░░░░▀▀░░░░░░░░░▀▀▀▀░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▀████▀▀░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░

posted by Rhomboid at 10:04 PM on September 14, 2007 [3 favorites]

You know, this thread was pretty retarded, but I have to say that the little smiley face underneath the MetaTalk logo made it all worthwhile.
posted by Afroblanco at 10:36 PM on September 14, 2007

This thread completely satisfies both the web developer side of me and the stupid jackass who laughs at anything unexpected side of me. More plz.
posted by davejay at 11:13 PM on September 14, 2007

A pissing-elephant-thread, minus the <img> tag, if you will.

You might've missed it, but there actually was a pissing elephant in here for about 5 minutes.
posted by carsonb at 11:46 PM on September 14, 2007

You might've missed it, but there actually was a pissing elephant in here for about 5 minutes.

Dammit! I knew I should have put the kids to bed early!
posted by davejay at 11:49 PM on September 14, 2007

Growing up is so painful. Trying to be a responsible citizen is just contrary to nature. Hey, I think I just defined civilization.
posted by Cranberry at 12:03 AM on September 15, 2007

Aw, you people have been having fun while this continent was asleep. Not fair!
posted by jouke at 1:00 AM on September 15, 2007

Bright Lights, Bad Kitty

Party over?

posted by Brandon Blatcher at 4:38 AM on September 15, 2007

more testy
posted by Brandon Blatcher at 4:50 AM on September 15, 2007

son of testy
posted by Brandon Blatcher at 4:50 AM on September 15, 2007

daughter of testy
posted by Brandon Blatcher at 4:51 AM on September 15, 2007

crabby teenage niece of testy
posted by Brandon Blatcher at 4:59 AM on September 15, 2007

?
posted by Brandon Blatcher at 4:59 AM on September 15, 2007

I'm just glad the exploits are still there for posterity. I love

I'm breakin' out of my confines and heading into the margins.
posted by languagehat at 6:56 AM on September 15, 2007 [1 favorite]

Don't know if anyone is still looking at this, but the changes have an odd effect on the 'My Comments' page.

For instance, this comment:

Ask Ian Bicking.

appears as:

["http://blog.ianbicking.org/2007/08/21/the-shrinking-python-web-framework-world/"] Ask Ian Bicking.

posted by Aloysius Bear at 8:39 AM on September 15, 2007

...And Aloysius Bear's comment above looks like this on the Recent Activity page:

["http://ask.metafilter.com/71418/Here-snakey-snakey-snake#1064381"] ["http://blog.ianbicking.org/2007/08/21/the-shrinking-python-web-framework-world/"] ["http://blog.ianbicking.org/2007/08/21/the-shrinking-python-web-framework-world/"] Don't know if anyone is still looking at this, but the changes have an odd effect on the 'My Comments' page.

For instance, this comment:

Ask Ian Bicking.

appears as:

["http://blog.ianbicking.org/2007/08/21/the-shrinking-python-web-framework-world/"] Ask Ian Bicking.

/where the two "Ask Ian Bicking"s and the "this" are active links.
posted by carsonb at 8:46 AM on September 15, 2007

Yeah, I noticed that too. Annoying.
posted by languagehat at 9:00 AM on September 15, 2007

I'm glad I'm not the only one noticing it. I thought people were just adopting an irritating new posting style, like using @ to denote a quote or personal reference.

Out of curiosity, this is a test.
posted by quin at 9:36 AM on September 15, 2007

I wonder if they fixed it or if it's just random.
posted by quin at 9:37 AM on September 15, 2007

I wonder if they fixed it or if it's just random.

I still see it, quin.

test

test 2

test 3

(live preview still shows Gary's exploit, just for the record)
posted by carsonb at 10:08 AM on September 15, 2007

Well yeah, it hasn't been stripped out yet.
posted by Brandon Blatcher at 10:12 AM on September 15, 2007

huh, that was wierd.

italic tag test

Does the above work?
posted by Brandon Blatcher at 10:12 AM on September 15, 2007

italic tag test 2

?
posted by Brandon Blatcher at 10:13 AM on September 15, 2007

Shrug, when originally replying to carsonb's comment and I hit "Post Comment" got an error saying the comment appears to be blank. Tried it several times, same error. Everything appears to be fine now.
posted by Brandon Blatcher at 10:14 AM on September 15, 2007

Here's what my previous comment looks like on the 'Recent Activity' page:

["http://www.google.com"] ["testing with title"] ["http://www.google.com"] ["testing with Garys exploit (no url aside from the href)"] ["http://www.google.com"] ["testing with Garys exploit using a style attribute that contains a URL"] I wonder if they fixed it or if it's just random.

I still see it, quin. ...

/looks like delfuego's fix is doing a fine job of stripping the forbidden attributes and recognizing the allowed attributes, but then it's tacking those allowed attributes onto the front of the comment and hiding them somehow. In threads it works fine, but something about the 'My Comments' and 'Recent Activity' pages reveals them. Looks normal on the comment history page though.
posted by carsonb at 10:14 AM on September 15, 2007

Shrug, when originally replying to carsonb's comment and I hit "Post Comment" got an error saying the comment appears to be blank.

I'll bet you $5 you had a "posted by" nested in <small> tags somewhere in that comment, Brandon. I've run into that problem before.
posted by carsonb at 10:16 AM on September 15, 2007

Also, in this thread only I cannot click on the row of links in the header that begins with "New Post". Are they covered up by the red smiley's <div> or something?
posted by carsonb at 10:28 AM on September 15, 2007

Yes, Brandon, he is
posted by Brandon Blatcher at 10:38 AM on September 15, 2007

Ok, thanks, just asking....
posted by Brandon Blatcher at 10:40 AM on September 15, 2007

Let's be very clear -- I'm an idiot. I made a change this morning to the code to deal with a remaining hole that someone emailed about overnight, and I left one line of debug code in; that debug code is what was leaving those ["whatever"] comments all over the place. *sheepish apology* It's fixed now.

And just to clear one other thing up: yes, we all know that the "exploits" still work in the Live Preview box, but it doesn't matter one whit -- that box only exists on your machine, in your browser, and as soon as you submit your comment the malicious bits get stripped out. It's doable to prevent even the exploits in the Live Preview box, but it'll take a change to how Matt provides the previews; I've offered to make the change, and it's up to him.
posted by delfuego at 10:45 AM on September 15, 2007

Also, in this thread only I cannot click on the row of links in the header that begins with "New Post". Are they covered up by the red smiley's or something?

Note to overzealous mods: Please do not remove the red smiley face because of this insignificant problem. Many of us are fans of the red smiley face.

/a fan of the red smiley face
posted by languagehat at 10:52 AM on September 15, 2007 [2 favorites]

I too am a fan and don't want to see it go. Just making a note, is all.

delfuego I don't suppose you could convince mathowie to change the error message for the issue Brandon had a few comments back ("posted by" nested in <small> tags) while you're at it? That "Your comment appears to be blank, go back and try again." error page is extremely confusing unless you close-read the FAQ regularly.
posted by carsonb at 10:56 AM on September 15, 2007

Woah, I just realized it was Rhomboid who put the smiley up there. Here's why it's obscuring the "New Post" line. Crazy.
posted by carsonb at 11:16 AM on September 15, 2007

foobar

.

foobar

x='document.all.myImg.'+'s'+'r'+'c'+'=\'http://gary.steinke.ca/10328.jpg\' ';eval(x);/* >baz*/

posted by killdevil at 12:13 PM on September 15, 2007

heh. Gary has an interesting exploit posted on his userpage, too.
posted by killdevil at 12:14 PM on September 15, 2007

I took that from mock's page. His page is pointing to an invalid url now, but still works.
posted by Gary at 12:20 PM on September 15, 2007

Guys, you don't have to shit in the thread to do your testing. The non-live preview does the same filtering that would occur if you actually post, so use that to test things.
posted by Rhomboid at 1:26 PM on September 15, 2007

Ummm, Rhomboid -- this whole damn thing is an example of shitting in a thread.
posted by delfuego at 1:29 PM on September 15, 2007 [1 favorite]

Whomever:
When I'm trying to make links, they're borking:
http://ask.metafilter.com/71611/Dell-Vista-DSL-WTF#1066887
The URL keeps on changing when I use a href to http://ask.metafilter.com/contribute/post_comment_preview.mefi on preview/post
posted by jmd82 at 1:44 PM on September 15, 2007

AFAICT, jmd82, it's either a PEBCAK situation or the One-D Ten-T error. I can't replicate your problem.
posted by carsonb at 2:02 PM on September 15, 2007

If you put a space after the = in the href, the new parser will produce incorrect results.

Trying a space before.
Trying a space after.
Trying a space before and after the equals sign.
posted by Gary at 2:05 PM on September 15, 2007

To clarify:

href="http://google.com" will work
href ="http://google.com" will work
href= "http://google.com" will break
href = "http://google.com" will break

But they will all look fine in the live preview.
posted by Gary at 2:06 PM on September 15, 2007

I missed the fun!

Also, the blink tag is useful for people who are confused about what form of it's to use.
posted by brundlefly at 2:22 PM on September 15, 2007 [1 favorite]

Damn, brundlefly, I think you're really on to something they're.
posted by cortex (staff) at 2:26 PM on September 15, 2007 [2 favorites]

OK, here's what's happening to me:
I in the FFVII thread looking to post another link:
Don't forget to check out their [a href = "http://bt.ocremix.org/"]other torrents[/a].

When I went to preview, the link was changed to:

Don't forget to check out their [a href=""]other torrents[/a]. Whatever was done to the code, it's stripping out the spacing from [href = "..."] to [href=""] while also stripping out the link.

Or, what Gary said.
posted by jmd82 at 4:03 PM on September 15, 2007

Hereby I nominate Gary for the Metafilter Star of Honour.

He really should have a start next to his handle for this phenomenal short-lived discovery.
posted by jouke at 4:12 PM on September 15, 2007 [1 favorite]

a star

damn alcohol
posted by jouke at 4:12 PM on September 15, 2007

Did link tags with spaces before/after the equals sign work before? Looking at the original version of the code, they shouldn't have -- and I think that might be correct, since putting a space before/after the equals might violate the (X)HTML spec.

That being said, I just fixed the filter script so it handles that case.
posted by delfuego at 4:20 PM on September 15, 2007

Um, nope (previous comment had spaces in my a href = "" code). Not fixed...oh, and I've always used spaces in my code, though I never paid attention to if they were stripped.
posted by jmd82 at 4:23 PM on September 15, 2007

just to be explicit, my whacked comment:
[a href = "http://google.com"]test[/a]
Also, when I tried to preview and post, I am redirected here:
'http://google.com>test</a%3E%3Cbr%3E%3Cspan%20class='
posted by jmd82 at 4:27 PM on September 15, 2007

delfuego, I think it used to gracefully strip spaces from attr="sdsd" pairs that had a space on one or both sides of the equals sign. Or at least some variants of those. Which is pretty weird—I don't think it's valid html, at least, and I'm surprised that anybody does that, though that's probably just because I don't.
posted by cortex (staff) at 4:30 PM on September 15, 2007

Hadn't seen that spacing format before either. I take my insults back for mine own, sorry jmd82.
posted by carsonb at 4:54 PM on September 15, 2007

jmd82, thanks; it's again fixed.

cortex, thanks for the info; the filters should now do the same, after that final fix.

And finally: this is a test.
posted by delfuego at 4:54 PM on September 15, 2007

strip. tokenize. masturbate.
posted by psmith at 6:29 PM on September 15, 2007

wipe hands on.... oops, that's Fark.
posted by wendell at 6:53 PM on September 15, 2007

Testing...
posted by Rock Steady at 11:15 PM on September 15, 2007

Hmm. Do I havve to do something other than just type "Testing" to get the craziness?
posted by Rock Steady at 11:16 PM on September 15, 2007

I ♥ everyone who made blinking and colorful things in this thread!
posted by Lynsey at 12:14 AM on September 16, 2007

Thank you mathowie and delfuego for not taking away all our toys.
posted by Cranberry at 12:20 AM on September 16, 2007

colors are still working too so much more fun than white
posted by Cranberry at 12:27 AM on September 16, 2007

At least in preview...
posted by Cranberry at 12:27 AM on September 16, 2007

Confidential to IE users:

bill gates is a man
he has a lot of money
but paul has more fun

posted by Gary at 1:23 AM on September 16, 2007

Canvas?!? Some kind of relic of the browser wars?
posted by Rhomboid at 1:51 AM on September 16, 2007

Canvas is actually a relatively new development in the browser wars…

Apple developed it in WebKit because they thought SVG sucked. As it turns out SVG does sorta suck for web graphics, and canvas is pretty sweet. I have no idea what Internet Explorer renders <canvas> as!
posted by blasdelf at 2:10 AM on September 16, 2007 [1 favorite]

Comment from my roommate: "This thread is like papa smurf waking up and discovering that all the other smurfs have discovered drugs and sex."

Maybe a little late but I thought it was highly accurate.
posted by baphomet at 8:46 AM on September 16, 2007 [2 favorites]

I can't believe I missed all the fun. (by about an hour, apparently)
posted by delmoi at 11:25 AM on September 16, 2007

ahem i recently discovered this is not the only popular community site with this flaw

funny stuff
posted by lazaruslong at 4:55 PM on September 16, 2007

My god, the little red smiley is freaking the freaky up there. It won't stop freaking.
posted by cgc373 at 2:00 AM on September 17, 2007

The canvas tag was a bit ugly for what I wanted to accomplish there. The comment tag works better. Look out, next pointless browser flame war. I'm taking both sides.

Internet explorer would not be my first choice. Firefox is a awfully good browser.
posted by Gary at 4:57 PM on September 18, 2007

Actually, if you do this (with angle brackets, of course):

[b][comment]Some Text

The automatic tag closer gets the order wrong, and screws up the rest of the page rendering on Internet Explorer.
posted by Gary at 5:07 PM on September 18, 2007

Silly bastard.
posted by cortex (staff) at 5:54 PM on September 18, 2007

That's weird. Gary's comment('s tagline) blinks at me on the Recent Activity page, but not here in the thread.
posted by carsonb at 7:15 PM on September 18, 2007

Yeah, that's always been the case with any of this html-goofing-around stuff.
posted by stavrosthewonderchicken at 9:00 PM on September 18, 2007

You are not logged in, either login or create an account to post comments