The rule passed down that disallows images under level 5 was created for a reason. There was a time long ago when images were allowed to roam free across the nodefields.

Apparently, for such a rule to be in place, there must be some ethical reason for its creation, probably due to the fact that there was some unethical use of images in homenodes.

Security (which includes bandwidth/database hogging) is a big issue with a website that relies on donations. Why cause more headaches for those that volunteer their time?

mousey, I'm sure your intentions are good, but promoting information in a forum about circumventing security in the same forum isn't that great of an idea. The rule is there for a good reason, and if you wished to challenge its purpose, you have every right to do so. However, you should have not posted a means of breaking the system, rather your opinion and supporting reason to change the system would have been appreciated.

Just my two cents.

Update: after reading theorbtwo's post, I realized that allowing pictures at monk level only seems right. By level five (250XP), a user has been here long enough to know the rules and respect the Monastery. Therefore, that user will be entitled to have a picture hosted on Perl Monks. It is a great privledge, considering they are allowing users to upload 80kb onto the perlmonks.org server. If you allowed anyone with an account (including all those "Logged in once, no writeups") to post an image, you'd run out of space very quickly. Assuming that just a quarter of those "LIONW"s posted an image around 40KB, you'd have around 97MB of database that would be essentially useless.

mousey, go for level five, but not for the picture... but for the self-enlightenment :)

John J Reiser
newrisedesigns.com

Update: after reading theorbtwo's post, I realized that allowing pictures at monk level only seems right. By level five (250XP), a user has been here long enough to know the rules and respect the Monastery. Therefore, that user will be entitled to have a picture hosted on Perl Monks. It is a great privledge, considering they are allowing users to upload 80kb onto the perlmonks.org server. If you allowed anyone with an account (including all those "Logged in once, no writeups") to post an image, you'd run out of space very quickly. Assuming that just a quarter of those "LIONW"s posted an image around 40KB, you'd have around 97MB of database that would be essentially useless.

You know, these days I would expect one should be able to move from Initiate to Monk in a week or less, hardly enough time to get to know the culture of this site, but that's not the problem. And what mousey was doing places no additional load on the server, apart from sending the characters required to write the HTML code that references a resource sitting on another server. The cost of pulling down that image to the client, from the Perl Monks server's point of view, is zero.

The reason is not bandwidth cost, more for legal reasons. Restricting the ability of people to reference material on other servers reduces the chances of vroom receiving nasty letters from clueless lawyers bent on copyright violations. By the time you're allowed to, you are supposed to know the rules.

I wrote the first patch to block the use of the <image> element and I suppose I can keep on adding to the code (it's just a regex) but I'd rather be doing something else. Because there are still other ways lying in the wings to circumvent the filter and get your picture on your homenode. If you are clever you can work it out. The pmdevils are discussing the best way to fix things once and for all.

<update> in response to FU (and tangentially tadman's post below), yes of course the obvious thing would be to use HTML::Parser or HTML::TokeParser and throw away anything that doesn't match a list of allowable tags. The only problem with this approach is that it is somewhat resource-hungry and the impact on the server will be hard to gauge. Of course, there is another approach that may be more light weight. It's more a question of sitting down and trying both appoaches. </update>


print@_{sort keys %_},$/if%_=split//,'= & *a?b:e\f/h^h!j+n,o@o;r$s-t%t#u'

I wrote the first patch to block the use of the <image> element and I suppose I can keep on adding to the code (it's just a regex....

IMO, the most valuable lesson we can pull from mousey's little mini-exploit is to filter homenode HTML positively ("allow only safe elements") rather than negatively ("deny only the unsafe elements that we thought of").

And now, the less valuable lesson, all IMHO:

<soapbox>

Both here and in the chatterbox, I've seen mousey's exploit criticized for irreverance ("Monk pics are a way of honouring committed members! mousey's denigrating that!"), for irresponsible disclosure ("mousey's found a way around an XSS/Javascript attack filter and is encouraging blackhats to use it!"), or just for breaking the rules ("mousey broke the rules! Don't break the rules! They're the rules! Rules! Baa! Baa! Baa!").

That's not my read on the situation at all.

From mousey's original post, and from what he actually did with the vuln he found, I see his attitude as (naive) exuberance: "hey, cool, you can get around the no-images-before-level-5 filter with a crufty HTML hack!" That "hey, cool" attitude is central to hackerdom; without scruffy programmers doing the unexpected, we'd all be grinding out COBOL, JCL, and PL/I for a living on massive time-sharing systems from IBM. We need to protect that attitude, and nurture it, not restrict and ostracize it.

</soapbox>

--
F o x t r o t U n i f o r m
Found a typo in this node? /msg me
The hell with paco, vote for Erudil!

Regarding one's rapidity (word?) in building rank, I believe that it is quite simple for someone to advance significantly in a short time-frame. Perhaps the place for this is in Meditations or Discussions but I have long thought that in addition to a certain XP level, perhaps a minimum number of posts or something similar could be incorporated into the process.

I've seen a few people (and I include myself) who are relatively new to Perlmonks, and perhaps a bit new to many of the rules and procedures (I still have to check the FAQ every time I want to link to a node or link in the CB) who have one or two good posts, and have been carried by that into Monk-dom. Again, I point an accusational finger at myself. I've got a few "this regex doesn't work, can someone please put me to shame with one line" requests, a "someone tell me to use a templating system instead of writing my own from scratch" question, and even a few "I'd like to do something with this method, which isn't even close to any of the MTOWTDI(s)".

I was more than happy with the 3 or 4 XP I recieved from any of these postings. Imagine my surprise when I logged in one day and had gained 90+ experience from a single well-written opinion post!
Supposedly, the path to enlightenment is through discipline and study... While I've studied a great deal and had a fantastic time here, have I earned a place for my little artwork cidaris? Hard to say.

Quantity not quality? Not what I'm implying at all. But I don't know about reaching Monk on one or two good posts, either.

A side note to the "Powers that Be": Do I want to give up my XP and lose my little monk? Not hardly ;)
cidaris

According to I want my picture back, the reason is "...to honor users who have reached monk status or higher...". This, I think, is a very important reason. mousey, why not try to make L5 instead of getting around the limit?

---

Confession: It does an Immortal Body good.

Clever and well-hacked. (Although I imagine this'll get fixed about the next time tye's around.... :-)

--
F o x t r o t U n i f o r m
Found a typo in this node? /msg me
The hell with paco, vote for Erudil!

mousey,
What do you hope to gain by this? I foresee that all this will do is cause the powers that be to impose more restrictions on Monks of lower level.

It was interesting that you found that you could use the image tag. Now you realize that you can use an iframe. Once they stop you from using that, then what? Where does it end?

Instead of trying to push the limits of your homenode, why not write a really cool use for Perl? Or a deep, meaningful essay about what Perl means to you? Perhaps you could write up a nice snippet that will solve someone's problem? Answer some questions. There are many more productive things to do at the Monastery!

I always thought the HTML-Scrubbing was done with code like in Why I like functional programming, because that's inclusive and works great. I use modifications of that code myself, because it's so great :). I wonder, too.

--
http://fruiture.de

--
perl -pew "s/\b;([mnst])/'$1/g"

So now you've used iframes? Clever, I guess...