Subtle changes, bugs and feedback

Posted on
Page
of 312
  • IF IN DOUBT, USE MARKDOWN: https://www.markdownguide.org/cheat-sheet/

    You have three types of formatting available:

    1. A subset of BBCode
    2. Markdown
    3. A subset of HTML

    Those are applied in that order to produce HTML (we convert the BBCode to Markdown, then convert the Markdown to HTML), and the final output is then sanitised to remove HTML that can be used maliciously (i.e. to obtain someone else's cookies or session).

    The BBCode we support:

    1. b
    2. u
    3. i
    4. s
    5. color
    6. list
    7. *
    8. img
    9. attach
    10. url
    11. email
    12. cite

    The final accepted list of HTML is captured within the user generated content policy, where anything not matching the following HTML is removed from the post:

    1. Attributes:
    2. # global attributes
    3. dir on everything
    4. lang on everything
    5. id on everything
    6. title on everything
    7. # sectioning and grouping
    8. open on details
    9. cite on blockquote
    10. # links
    11. href on a
    12. name on map
    13. alt on area
    14. href on area
    15. # forms
    16. cite on q
    17. datetime on time
    18. value on meter
    19. min on meter
    20. max on meter
    21. low on meter
    22. high on meter
    23. optimum on meter
    24. value on progress
    25. max on progress
    26. # lists
    27. type on ol
    28. type on ul
    29. type on li
    30. value on li
    31. # tables
    32. height on table
    33. width on table
    34. summary on table
    35. align on col
    36. align on colgroup
    37. height on col
    38. height on colgroup
    39. width on col
    40. width on colgroup
    41. span on col
    42. span on colgroup
    43. valign on col
    44. valign on colgroup
    45. align on thead
    46. align on tr
    47. valign on thead
    48. valign on tr
    49. abbr on td
    50. abbr on th
    51. align on td
    52. align on th
    53. colspan on td
    54. colspan on th
    55. rowspan on td
    56. rowspan on th
    57. headers on td
    58. headers on th
    59. height on td
    60. height on th
    61. scope on td
    62. scope on th
    63. valign on td
    64. valign on th
    65. nowrap on td
    66. nowrap on th
    67. align on tbody
    68. align on tfoot
    69. valign on tbody
    70. valign on tfoot
    71. # images
    72. coords on area
    73. rel on area
    74. shape on area
    75. usemap on img
    76. align on img
    77. alt on img
    78. height on img
    79. width on img
    80. src on img
    81. URLs
    82. # these are the values of links, i.e. standard web links
    83. mailto:
    84. http://
    85. http://
    86. Elements
    87. # sectioning
    88. article
    89. aside
    90. details
    91. figure
    92. section
    93. summary
    94. # headers
    95. h1
    96. h2
    97. h3
    98. h4
    99. h5
    100. h6
    101. hgroup
    102. # content grouping and separating
    103. blockquote
    104. br
    105. div
    106. hr
    107. p
    108. span
    109. wbr
    110. # links
    111. a
    112. map
    113. area
    114. img
    115. # phrase
    116. abbr
    117. acronym
    118. cite
    119. code
    120. dfn
    121. em
    122. figcaption
    123. mark
    124. s
    125. samp
    126. strong
    127. sub
    128. sup
    129. var
    130. q
    131. time
    132. # styles
    133. b
    134. i
    135. pre
    136. small
    137. strike
    138. tt
    139. u
    140. # language
    141. bdi
    142. bdo
    143. rp
    144. rt
    145. ruby
    146. # change tracking
    147. del
    148. ins
    149. # lists
    150. ol
    151. ul
    152. li
    153. dl
    154. dt
    155. dd
    156. # forms
    157. meter
    158. # tables
    159. table
    160. thead
    161. tr
    162. th
    163. tbody
    164. td
    165. tfoot
    166. caption

    Additionally we add nofollow as a rel on all fully qualified links, and we will also add _blank as a target on fully qualified links. HTML entities are also escaped, the output is pure HTML and nothing ambiguous will remain.

    Finally, any comment entirely made of capital letters (according to a lack of unicode.IsLower() rune being present) will be run (in it's totality) through unicode.ToLower()... which means anyone SHOUTING will have their post converted to shouting.

    Essentially... you almost do not need to worry about it, we support multiple types of formatting and way more than you imagine, and it's very comprehensive so even if you're cutting and pasting in rich content from elsewhere it mostly works.

    Notable omissions though, we do not support anything not explicitly mentioned above, but specifically we have not mentioned:

    1. link
    2. script
    3. style
    4. object
    5. embed

    But we will recognise links to some places (like YouTube) and convert those into embeds for you. We cannot take their HTML as input as it would mean disabling security features, but we can produce their HTML from a link.

  • So I went and tested... and yup, even things like HTML meter works:

    at 20/100

    at 50/100

    at 80/100

    Cannot imagine anyone using it... but the gist is, if it's not malicious then it was enabled.

  • Hyperlinking to a YouTube video while removing 'https://' (in order to prevent the embedding of the video) results in some funny business:

    Clicking here...

    leads to:

    https://www.lfgss.com/conversations/127109/

    Code:

    1. [Clicking here](youtu.be/watch?v=7oS7qfQ5Z9k&t=18s)

    Hovering over the 'Clicking here...' link above shows this link:

  • that is weird

    traced it back to Django and Python... it doesn't seem to understand not to read beyond the 131364, and somehow Python manages to extract 127109 from the resulting stringification mess, and then that just happens to actually exist as a thread, and so the redirection works.

    beats me... undocumented behaviour is still not a security risk as all permissions and existence checking is applied, so I'll happily ignore it.

    relative links though... those aren't going to work

  • Interesting. Anyway, I’m able to circumvent this behavior by replacing ‘youtu.be’ with ‘https://m.youtube.com’.

    It won’t embed the video, and the link works.

    Code:

    1. [the link works](https://m.youtube.com/watch?v=7oS7qfQ5Z9k&t=18s­)
  • Why do you not want to embed?

  • Because when you hyperlink
    it, it embeds the video right after the link, messing up the formatting:


    1 Attachment

    • IMG_4434.jpeg
  • Rephrase 🤷 you already know the link will embed.

  • But I don’t want to. ;)

  • Post it, copy the generated short link, edit it.

    The generated short link for the above is https://microcosm.app/out/T5jSi

  • That also works! Nice.

    I’m able to circumvent this behavior by replacing ‘youtu.be’ with ‘https://m.youtube.com’.

  • Well that's a bug, so I'll fix that.

  • 😭

  • when you hover over a blue external link on a post, the bottom left of my screen shows the link that you are attempting to link to. it always shows https://microcosm......... etc
    is there anyway you could actually show the website it is linking to so people can avoid going onto websites like the daily mail / the sun, or other websites that they wish to avoid. it is sometimes difficult to tell what website you are visiting before you click the link.

  • yeah, I should change that.

    it has been very useful at blocking malicious websites, cryptojackers, and spam... but it's not like I use it a lot (as not a lot is reported).

    the original intent was to redirect via a point I control so that it was possible for me to moderate where things went to.

    a side benefit is that I'd have visibility over things like links through to affiliates and could hold those third parties to account.

    I've never used the analytics aspect of the redirect, but had used the blocking aspect... but arguably it's no longer needed.

    however to fix it now requires major surgery, and I'm kinda waiting for me to rewrite the frontend... but I've not made much progress as my day job consumes my time and effort.

    it's on the list of features to remove, it's a failed experiment in safety + accountability, it does work, but probably isn't worth the inconvenience created.

  • thanks for the explanation. for us non i.t. types we just think it's a simple thing but have no idea about all the things that go on behind the scenes.

    it's especially confusing when someone creates a link but then types a description of what the link is instead of showing the https .... for example " cheap gumwall tyres " so you have no idea if it's a mark all read type scenario, daily heils website or an actual link to cheap gumwall tyres.

    if it goes through you and you moderate that must help stop people linking malicious websites or websites with known viruses on via databases of dodgy websites and ones to avoid. but it's rare i click on a website that i don't know or has some weird web address just in case of scams viruses

  • Not sure if correct place to ask, but is there a reason the top threads I see in General aren’t in order of newest replies?


    1 Attachment

    • IMG_8258.jpeg
  • Yes... more easily seen on tablet or desktop view.

    4 of those are pinned to the top (and sorted by last reply).

    3 of those are themselves forums (and sorted by magic - i.e. some trade-off on number of comments, items, recency).

    and then everything else is sorted by last reply time.


    1 Attachment

    • Screenshot 2024-02-26 113713.png
  • Ahhhh got it. Thanks

  • Has the DNS been been hijacked? I'm seeing this:


    1 Attachment

    • 1000029618.png
  • the old microco.sm domain expired, and it appears somewhere in there it affected the Cloudflare CNAME flattening when it got nuked.

    I've removed microco.sm from my Cloudflare account, which prevents the CNAME flattening... and that resolved it.

  • I was very fucking worried briefly.

  • This.

    I even joined the fb group to see the end times had arrived.

  • Worst morning of my life

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview
About

Subtle changes, bugs and feedback

Posted by Avatar for Velocio @Velocio

Actions