I wrote the first patch to block the use of the <image> element and I suppose I can keep on adding to the code (it's just a regex....

IMO, the most valuable lesson we can pull from mousey's little mini-exploit is to filter homenode HTML positively ("allow only safe elements") rather than negatively ("deny only the unsafe elements that we thought of").

And now, the less valuable lesson, all IMHO:

Both here and in the chatterbox, I've seen mousey's exploit criticized for irreverance ("Monk pics are a way of honouring committed members! mousey's denigrating that!"), for irresponsible disclosure ("mousey's found a way around an XSS/Javascript attack filter and is encouraging blackhats to use it!"), or just for breaking the rules ("mousey broke the rules! Don't break the rules! They're the rules! Rules! Baa! Baa! Baa!").

That's not my read on the situation at all.

From mousey's original post, and from what he actually did with the vuln he found, I see his attitude as (naive) exuberance: "hey, cool, you can get around the no-images-before-level-5 filter with a crufty HTML hack!" That "hey, cool" attitude is central to hackerdom; without scruffy programmers doing the unexpected, we'd all be grinding out COBOL, JCL, and PL/I for a living on massive time-sharing systems from IBM. We need to protect that attitude, and nurture it, not restrict and ostracize it.

--
F o x t r o t U n i f o r m
Found a typo in this node? /msg me
The hell with paco, vote for Erudil!