This Strip is Not Safe For Work!

`Peyo` If you REALLY want to warn people about content, put a gate that has to be used for anyone making a page exploiting the site code. I have been purposely avoiding any uploads from Sam due to the subversion of the site, but someone else made me aware of the most egregious examples so I checked it out, and wow! That's genuinely changing this from an art site to the equivalent of those flashing animated GIF avatars people used to post on forum sites in hopes of inducing epileptic seizures. You ought to have a requirement that if someone is going to use the site for a layout experiment (especially involving blasting music. It's common sense something like that should ALWAYS have an audio warning, if someone is sitting somewhere silent and suddenly has audio blast out of their speakers that could really be an issue for them, and Sam KNOWS that, and so does everyone else. The potential for malice with that is through the roof.) So if layout subversion is going to actually be a part of the site and you encourage it, please make a rule that it has to be put behind a gateway page so it doesn't get inflicted on someone at a time when they might just be expecting a comic strip. I'm especially baffled that you were so resistant to the idea of image uploads under the idea that it was going to undermine the spirit of the site, but you're fine with someone making the page layout spin like a ceiling fan or play audio. The user who pointed it out to me is prepared to make a point by actually using it to do something malicious with the weakness so that it cannot be ignored, and even if they don't, someone is going to because it's a huge invitation for vandalism. That's really a bit much! I had no idea that was going on. Is that sort of thing do-able from the comment section, or does the person have to be the originator of the strip to pull it off? If it is possible through comments could you please make a way to limit comments to friends only if that doesn't already exist?

afaik Sam didn't do anything harmful - at least not on purpose.. I can make a rule that only Sam is allowed to add html to the title if you want alternatively I guess the audio tag could be outruled or only certain html tags to be allowed afaik you cannot add html for comments - only strip titles also limited new users are not allowed to add html already because of the potential malicious stuff but if you are aware of such things happening please let me know asap also sorry for the inconvenience - the things is I want to please everyone (hence giving in eventually to add editing or uploads or whatever you guys will think of next)

`Peyo` I'll hold off on any philosophizing about the results of trying to please everyone, but a good solution would be to have a checkbox for an option to reduce all text on the site to plain text from a given user's standpoint, and have it on by default, so that if someone wants to take part in style sheet performance art they can opt in, versus just having it in their face unexpectedly. It would be trivial to harvest the login credentials of incautious users as it stands, and even as non-clever as I am I thought up a way to use this to crash someone's browser fairly easily (and annihilate their data allowance if they are on a fixed data plan), and of course the temptation of having a sound sample of the title-makers choice play through someone's speakers is going to eventually get too strong for someone to resist, which could lead to innocent users getting fired if they're using the site from work. In addition you can easily inject illegal or non-school-friendly material into someone's browser cache through this method, not to mention having it present on the site itself in a hidden form.

I understand the problem and I'll think of something but it would be nice if we could reach some sort of compromise: e.g. a list of certain tags that might be used harmfully that are not allowed etc.

until we reach a solution - a half assed fix: only me, `sam sai pef and friends` and `Scones and Cones` are allowed to add html shenanigans and for `TeeEffDee` they are turned off altogether and once again this is only temporary until we figure this out

`Peyo` Actually you don't have to worry about me at all, I'm not actually not very vulnerable to any of these exploits, and in fact I didn't even know they existed until I was prompted to check it out! I'm just letting you know, that's a gaping hole in user security and a huge invite for an easy attack from even the most low-intellect script kiddie. If you're able to turn it off for me that easily, it should be trivial to turn it off by default for everyone, so if they opt in at least they understand what they're opting for. So for example if someone wanted to use it to make a fake login page and harvest credentials, if the person hadn't opted in, that attempt would fall flat since it would never have been processed as a script. It's always better to let people choose what they want to do. I don't see the purpose of having that sort of HTML functionality in a title field anyway, not that it's really any of my business, but it just strikes me as "Enjoy our latest hamburger, which also comes with a handy injection port for chemicals and bio-agents." Like why is that even there? Why isn't it plain text to start with? I'm not asking for justification but when I see a security hole like that I naturally wonder why it even exists. "Our latest sleeping bag with handy mouse-sized access port for woodland vermin to get at you while you're sleeping."

it's done through some hacking (I just check the user id and allow based on that - so the privileges are hard-coded into the very site itself) if it's only about potential harm I guess an easy solution would be to only allow it opt-in so it will remain this hidden feature that only the 3 of us can do for now (I doubt sam or scones would want to cause anyone harm or get your data) and if someone else wants to do html they will need to ask first and let me know if you find places on the site where you can inject html - and consider it as a bug: for the titles this is just a special privilege

`Peyo` Yeah I don't think you, Sam or Setin are going to do anything, obviously... It's never about the people you know it's about the person you haven't met yet, who steps into a perfect opportunity. The site's already been attacked as you well know, and the attacker is now a member, so it's not the environment to leave any doors open. So yes that does solve the problem! It's just too easy to get verified on here and get full privileges for that to be any sort of a safeguard (has anyone ever been rejected? Not that I know of) so having it be off limits makes sense.

you know that for a fact? (the attack part - nobody ever tells me anything 😔 - anyway I understand now where your concerns are coming from) as long as they don't make trouble I don't mind people starting with a clean slate I do not wish to reject anyone until they prove without doubt that they are beyond reform and only here to make trouble (and even then I usually just suggest a career in politics 🤔) so I want to keep the site low on moderation in general - but don't worry: not as low as PJ (aka non-existent)

`Peyo` By attack I mean 2 events. First the one where someone was spamming the site using a script, I believe posting in Hindi. I could be wrong about the language. But I was watching it happen in real time talking to Carrot on Discord, and you moved in and put an end to it, and gave a damage report. Oh come on, you were there! The second would be the massive number of accounts created on the Wiki, which I would certainly count as an attack. I believe you said it was something like 800 accounts. And yes, I know you don't want to reject anyone but that's exactly why security is so important. I mean this may come as a shock but I have reason to believe Goh and PewPew/Headshot's user is on here, and we all know what a troublemaker that guy is.

of course I remember those but what I mean is do you know for sure that they are a member or it's only a suspicion? (just asking for curiosity) or do you mean that they are aware of the site? (i'm still not sure if there was only one person making trouble on pj)

I could never prove it!

oh well.. anyway I'll try to be a bit more strict in the future: `sam sai pef and friends` please don't set audio to autoplay and use the 'controls' tag if possible (and try to make the full page animations to not last for infinite time) (i'm not gonna enforce these just asking to take it easy)

understood