Canning Spam
You may have noticed a few weekends ago some spammers at Cafe were putting up entries which were redirecting you to their sites as soon as you landed on certain TPM pages. This kind of attack (called cross-site scripting) uses javascript to take command of the browser for malicious ends. To combat that, while we were developing a fix, we disabled self-registration and asked users to email us if they wanted to start an account. That way we could make sure bots weren't signing up and injecting harmful code into Cafe pages.
Last night we deployed a security fix that will prevent these kind of attacks by stripping out certain HTML tags from entries, such as the <script> tag. We're also stripping out the <style> tag, which can alter the legibility and structure of the site. These changes won't affect the majority of users, but please be advised if certain tags "disappear" from your entries on save, this is what is going on.
Another note -- we have elected to whitelist tags that allow embedding videos. Though this allows a high level of freedom (and a certain amount of risk), we felt that sharing videos was an integral part of TPMCafe discussion. If these tags are abused, however, we may have to reconsider.
Please let me know if you see anything funky by emailing me at al@ this domain. Thanks.
Al rocks the house as usual. I am going to nickname you The Fixer. Say, would you mind heading down to DC and setting the asshats in Congress strainght on the health care reform bill? Thanks in advance.
June 19, 2009 10:00 AM | Reply | Permalink
Thank you so much for making yourself, and therefore TPM available.
It is much appreciated.
June 19, 2009 10:18 AM | Reply | Permalink
O wise shepherd of html, we are always grateful. Thanks again.
June 19, 2009 11:07 AM | Reply | Permalink
Canned spam?
*sigh*
I love it when you're punny.
June 19, 2009 11:14 AM | Reply | Permalink
Al, you might be able to work with the Simple Machines Mod: Aeva (YouTube/video/audio auto-embedder). It works well in the Simple Machines forum, needing nothing more than a URL drop, no code to embed.
BTW, I'll miss the style-tag stripping, here and there, if it includes inline-style, (might want to rethink if it does; it's really functional for on-the-fly image resizing), but I'll survive without it.
June 19, 2009 11:41 AM | Reply | Permalink
Thanks for the link, Pseudo. I'll check it out. Unfortunately we are blocking the style attribute, but you can still resize your images with the height and width attributes.
June 19, 2009 1:23 PM | Reply | Permalink
Thanks, Al.
June 19, 2009 12:10 PM | Reply | Permalink
Good job Al . .
Although I have had no problemos here at the Cafe with *cross-site scripting* what with my Firefox browser and "NoScrpt" application.
~OGD~
June 19, 2009 2:32 PM | Reply | Permalink
Hi Al,
Thanks for protecting the site and keeping us informated.
I really appreciate the freedom we have here at TPM. If you can find a 'whackjob' blocker for the 'birthers' and other random 'freemen/alien takeover' type users... I wouldn't complain.
June 19, 2009 3:20 PM | Reply | Permalink
word
June 19, 2009 7:48 PM | Reply | Permalink
Two OT things, Al. I just downloaded IE8 and found that there are some sites that are not compatible with it - don't know why. Apparently TPM is one of those sites. IE8 has "compatibility view" feature that seems to correct problems, but thought you might like to know anyway.
Second. Have you ever thought about having links open in a separate window? It would make navigating the site much easier, I believe.
Thanks for staying on top of things.
June 19, 2009 4:16 PM | Reply | Permalink
Hmm, I tested with IE8, and it looks fine. Can you send me a screenshot at al@ so I can see what you're seeing?
June 19, 2009 6:19 PM | Reply | Permalink
I use Vista 64 and IE8 and don't have any problems.
June 19, 2009 8:15 PM | Reply | Permalink
Have you ever thought about having links open in a separate window?
FDRdog, Have you tried right clicking on a link? That should open the context menu, where there should then be a choice to open that link in a new tab or a new window. (Although I assume you meant new tab, rather than new window.)
I'm on Vista 32 and just tried IE 8 and it's fine.
June 19, 2009 11:13 PM | Reply | Permalink
Thanks for the right click tip, Seashell. I did not know you could do that.
I'm on Vista 32, too. What ever the problem is, it clears up if I make sure compatibility view is on.
June 20, 2009 3:20 PM | Reply | Permalink
I emailed a screen shot. I don't have the same problem with compatibility view, though.
June 20, 2009 3:15 PM | Reply | Permalink
I emailed a screen shot. I don't have the same problem with compatibility view, though.
June 20, 2009 3:15 PM | Reply | Permalink
Al,
I've written in to help@talkingpointsmemo dot com three times now with no response. I'm hoping that this succeeds in getting someone's attention.
I'm trying to start blogging but the myTPM interface will not allow me to do so. I cannot follow another blogger, either. I'll click "Blog Now" and no text entry window appears, just an empty listing of blog entries.
I've tried using both IE and Firefox. Can you help?
August 4, 2009 6:12 PM | Reply | Permalink