Re:x2 Images under Level 5

in reply to Re: (nrd) Images under Level 5
in thread Images under Level 5

Update: after reading theorbtwo's post, I realized that allowing pictures at monk level only seems right. By level five (250XP), a user has been here long enough to know the rules and respect the Monastery. Therefore, that user will be entitled to have a picture hosted on Perl Monks. It is a great privledge, considering they are allowing users to upload 80kb onto the perlmonks.org server. If you allowed anyone with an account (including all those "Logged in once, no writeups") to post an image, you'd run out of space very quickly. Assuming that just a quarter of those "LIONW"s posted an image around 40KB, you'd have around 97MB of database that would be essentially useless.

You know, these days I would expect one should be able to move from Initiate to Monk in a week or less, hardly enough time to get to know the culture of this site, but that's not the problem. And what mousey was doing places no additional load on the server, apart from sending the characters required to write the HTML code that references a resource sitting on another server. The cost of pulling down that image to the client, from the Perl Monks server's point of view, is zero.

The reason is not bandwidth cost, more for legal reasons. Restricting the ability of people to reference material on other servers reduces the chances of vroom receiving nasty letters from clueless lawyers bent on copyright violations. By the time you're allowed to, you are supposed to know the rules.

I wrote the first patch to block the use of the <image> element and I suppose I can keep on adding to the code (it's just a regex) but I'd rather be doing something else. Because there are still other ways lying in the wings to circumvent the filter and get your picture on your homenode. If you are clever you can work it out. The pmdevils are discussing the best way to fix things once and for all.

<update> in response to FU (and tangentially tadman's post below), yes of course the obvious thing would be to use HTML::Parser or HTML::TokeParser and throw away anything that doesn't match a list of allowable tags. The only problem with this approach is that it is somewhat resource-hungry and the impact on the server will be hard to gauge. Of course, there is another approach that may be more light weight. It's more a question of sitting down and trying both appoaches. </update>

print@_{sort keys %_},$/if%_=split//,'= & *a?b:e\f/h^h!j+n,o@o;r$s-t%t#u'

Comment on Re:x2 Images under Level 5 Select or Download Code

Replies are listed 'Best First'.
Re(3) Images under Level 5 by FoxtrotUniform (Prior) on Aug 27, 2002 at 17:07 UTC
I wrote the first patch to block the use of the <image> element and I suppose I can keep on adding to the code (it's just a regex.... IMO, the most valuable lesson we can pull from mousey's little mini-exploit is to filter homenode HTML positively ("allow only safe elements") rather than negatively ("deny only the unsafe elements that we thought of"). And now, the less valuable lesson, all IMHO: <soapbox> Both here and in the chatterbox, I've seen mousey's exploit criticized for irreverance ("Monk pics are a way of honouring committed members! mousey's denigrating that!"), for irresponsible disclosure ("mousey's found a way around an XSS/Javascript attack filter and is encouraging blackhats to use it!"), or just for breaking the rules ("mousey broke the rules! Don't break the rules! They're the rules! Rules! Baa! Baa! Baa!"). That's not my read on the situation at all. From mousey's original post, and from what he actually did with the vuln he found, I see his attitude as (naive) exuberance: "hey, cool, you can get around the no-images-before-level-5 filter with a crufty HTML hack!" That "hey, cool" attitude is central to hackerdom; without scruffy programmers doing the unexpected, we'd all be grinding out COBOL, JCL, and PL/I for a living on massive time-sharing systems from IBM. We need to protect that attitude, and nurture it, not restrict and ostracize it. </soapbox> `-- F o x t r o t U n i f o r m Found a typo in this node? /msg me The hell with paco, vote for Erudil!`	[reply]
Re: Re:x2 Images under Level 5 by cidaris (Friar) on Aug 28, 2002 at 17:14 UTC
Regarding one's rapidity (word?) in building rank, I believe that it is quite simple for someone to advance significantly in a short time-frame. Perhaps the place for this is in Meditations or Discussions but I have long thought that in addition to a certain XP level, perhaps a minimum number of posts or something similar could be incorporated into the process. I've seen a few people (and I include myself) who are relatively new to Perlmonks, and perhaps a bit new to many of the rules and procedures (I still have to check the FAQ every time I want to link to a node or link in the CB) who have one or two good posts, and have been carried by that into Monk-dom. Again, I point an accusational finger at myself. I've got a few "this regex doesn't work, can someone please put me to shame with one line" requests, a "someone tell me to use a templating system instead of writing my own from scratch" question, and even a few "I'd like to do something with this method, which isn't even close to any of the MTOWTDI(s)". I was more than happy with the 3 or 4 XP I recieved from any of these postings. Imagine my surprise when I logged in one day and had gained 90+ experience from a single well-written opinion post! Supposedly, the path to enlightenment is through discipline and study... While I've studied a great deal and had a fantastic time here, have I earned a place for my little artwork cidaris? Hard to say. Quantity not quality? Not what I'm implying at all. But I don't know about reaching Monk on one or two good posts, either. A side note to the "Powers that Be": Do I want to give up my XP and lose my little monk? Not hardly ;) cidaris	[reply]
Re^4: Images under Level 5 by Aristotle (Chancellor) on Aug 28, 2002 at 20:51 UTC
I don't think anyone will begrudge you for reaching that status so quickly. You have to put it in perspective: besides the already mentioned huge numbers of people who have never posted or not even logged in, there are a great many people who register, ask a question or two and then disappear. Compare that to your staying around and contributing. Obviously, though you may not know your way around here well yet, you do care about the place, or you wouldn't have stayed around even that long. Btw: ++ for that post. grin Makeshifts last the longest.	[reply]

In Section Perl Monks Discussion