icon deficit

lolcatblogging.png

I want the right to post cat macros in my own damn comments. You pop an ‘img’ quicktag above the comment editor and then continue to strip my images? One, this alone is moronic. Two, I am the admin, and I can post as many images as I like, yet you don’t trust me enough to let post them in my own comments? This is lame and makes no sense.

(I still sort of think it would be the funniest thing ever if even a tiny portion of the livejournal fandom refugees wound up here, posting porn and bitching about the ToS. Though of course we only get one icon, so this will never happen.)

7 Comments »

  1. sunburntkamel said

    ew. please no.

    bad usability, yes. the img button shouldn’t appear on the edit comment page. mildly frustrating as admin i suppose. but random users posting pictures in comments? myspace indeed.

  2. Alan said

    sbk: How very elitists of you. aha At least on WP you can edit pictures out.

  3. sunburntkamel said

    fair enough, i am.
    i believe you mean _in_ wp. as in, the hosted version. _on_ wp.com, posting images would be an XSS attack vector, and security would require filtering the file extension off the end of the link and making sure it’s .jpg, .gif, or .png. (which is not foolproof).
    for hosted wp, i’d venture it should only be enabled for users with unfiltered_html capabilities. moreover, this is probably the sort of thing that a plugin should handle (like threaded comments, openID, and other livejournal features).

  4. Andrea said

    But what they’ve done with the .com and MU code is strip out the img tag altogether (among a whole pile of other things).

    Check it out:
    http://trac.mu.wordpress.org/browser/trunk/wp-includes/kses.php

    line 21 declares tags allowed in posts, while line 186 declares tags allowed elsewhere (such as comments). No checking or filtering of file extensions to see is scripts are attached, just a blanket. Or a sledgehammer, depending on your viewpoint.

  5. So basically, they’re too lazy to check whether I’m logged in or not. And too lazy to get the comment editor to reflect the reality of what I’m actually allowed to post.

    If images are that much of a security risk, then why are bloggers allowed to post them? I mean, anyone can sign up for a blog here; couple of minutes, disposable email, done. There’s no reason why users should be considered more deserving of privileges than any other random passerby.

  6. options said

    >So basically, they’re too lazy to check whether I’m logged in or not.

    that’s it.

    heck, even a `pre` element got striped, that almost drove me demented when I was trying to post some code snippets in the comment of mine. same for ID and NAME attributes — simply a huge vuln vector!

    as for XSS, why do you think an ancient (as compared with a state-of-the-art semantic platform) Blogger publishes on the blogspot.com?

  7. Andrea said

    A couple days after you wrote this, Donncha added hooks to that file so WPMU admins could choose what to allow.

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s