Subtle changes, bugs and feedback

IF IN DOUBT, USE MARKDOWN: https://www.markdownguide.org/cheat-sheet/

You have three types of formatting available:

1. A subset of BBCode
   
2. Markdown
   
3. A subset of HTML
   
   

Those are applied in that order to produce HTML (we convert the BBCode to Markdown, then convert the Markdown to HTML), and the final output is then sanitised to remove HTML that can be used maliciously (i.e. to obtain someone else's cookies or session).

The BBCode we support:

    b
    u
    i
    s
    color
    list
    *
    img
    attach
    url
    email
    cite

The final accepted list of HTML is captured within the user generated content policy, where anything not matching the following HTML is removed from the post:

Attributes:
    # global attributes
    dir on everything
    lang on everything
    id on everything
    title on everything

    # sectioning and grouping
    open on details
    cite on blockquote

    # links
    href on a
    name on map
    alt on area
    href on area

    # forms
    cite on q
    datetime on time
    value on meter
    min on meter
    max on meter
    low on meter
    high on meter
    optimum on meter
    value on progress
    max on progress

    # lists
    type on ol
    type on ul
    type on li
    value on li

    # tables
    height on table
    width on table
    summary on table
    align on col
    align on colgroup
    height on col
    height on colgroup
    width on col
    width on colgroup
    span on col
    span on colgroup
    valign on col
    valign on colgroup
    align on thead
    align on tr
    valign on thead
    valign on tr
    abbr on td
    abbr on th
    align on td
    align on th
    colspan on td
    colspan on th
    rowspan on td
    rowspan on th
    headers on td
    headers on th
    height on td
    height on th
    scope on td
    scope on th
    valign on td
    valign on th
    nowrap on td
    nowrap on th
    align on tbody
    align on tfoot
    valign on tbody
    valign on tfoot

    # images
    coords on area
    rel on area
    shape on area
    usemap on img
    align on img
    alt on img
    height on img
    width on img
    src on img

URLs
    # these are the values of links, i.e. standard web links
    mailto:
    http://
    http://

Elements
    # sectioning
    article
    aside
    details
    figure
    section
    summary

    # headers
    h1
    h2
    h3
    h4
    h5
    h6
    hgroup

    # content grouping and separating
    blockquote
    br
    div
    hr
    p 
    span
    wbr

    # links
    a
    map
    area
    img

    # phrase
    abbr
    acronym
    cite
    code
    dfn
    em
    figcaption
    mark
    s
    samp
    strong
    sub
    sup
    var
    q
    time

   # styles
    b
    i
    pre
    small
    strike
    tt
    u

    # language
    bdi
    bdo
    rp
    rt
    ruby

    # change tracking
    del
    ins

    # lists
    ol
    ul
    li
    dl
    dt
    dd

    # forms
    meter

    # tables
    table
    thead
    tr
    th
    tbody
    td
    tfoot
    caption

Additionally we add nofollow as a rel on all fully qualified links, and we will also add _blank as a target on fully qualified links. HTML entities are also escaped, the output is pure HTML and nothing ambiguous will remain.

Finally, any comment entirely made of capital letters (according to a lack of unicode.IsLower() rune being present) will be run (in it's totality) through unicode.ToLower()... which means anyone SHOUTING will have their post converted to shouting.

Essentially... you almost do not need to worry about it, we support multiple types of formatting and way more than you imagine, and it's very comprehensive so even if you're cutting and pasting in rich content from elsewhere it mostly works.

Notable omissions though, we do not support anything not explicitly mentioned above, but specifically we have not mentioned:

    link
    script
    style
    object
    embed

But we will recognise links to some places (like YouTube) and convert those into embeds for you. We cannot take their HTML as input as it would mean disabling security features, but we can produce their HTML from a link.

Thank you @gbj_tester and @Velocio!

So I went and tested... and yup, even things like HTML meter works:

at 20/100

at 50/100

at 80/100

Cannot imagine anyone using it... but the gist is, if it's not malicious then it was enabled.

Hyperlinking to a YouTube video while removing 'https://' (in order to prevent the embedding of the video) results in some funny business:

Clicking here...

leads to:

https://www.lfgss.com/conversations/127109/

Code:

[Clicking here](youtu.be/watch?v=7oS7qfQ5Z9k&t=18s)

Hovering over the 'Clicking here...' link above shows this link:

that is weird

traced it back to Django and Python... it doesn't seem to understand not to read beyond the 131364, and somehow Python manages to extract 127109 from the resulting stringification mess, and then that just happens to actually exist as a thread, and so the redirection works.

beats me... undocumented behaviour is still not a security risk as all permissions and existence checking is applied, so I'll happily ignore it.

relative links though... those aren't going to work

Interesting. Anyway, I’m able to circumvent this behavior by replacing ‘youtu.be’ with ‘https://m.youtube.com’.

It won’t embed the video, and the link works.

Code:

[the link works](https://m.youtube.com/watch?v=7oS7qfQ5Z9k&t=18s­)

Why do you not want to embed?

Because when you hyperlink
it, it embeds the video right after the link, messing up the formatting:

1 Attachment

Rephrase 🤷 you already know the link will embed.

But I don’t want to. ;)

Post it, copy the generated short link, edit it.

The generated short link for the above is https://microcosm.app/out/T5jSi

That also works! Nice.

I’m able to circumvent this behavior by replacing ‘youtu.be’ with ‘https://m.youtube.com’.

Well that's a bug, so I'll fix that.

😭

when you hover over a blue external link on a post, the bottom left of my screen shows the link that you are attempting to link to. it always shows https://microcosm......... etc
is there anyway you could actually show the website it is linking to so people can avoid going onto websites like the daily mail / the sun, or other websites that they wish to avoid. it is sometimes difficult to tell what website you are visiting before you click the link.

yeah, I should change that.

it has been very useful at blocking malicious websites, cryptojackers, and spam... but it's not like I use it a lot (as not a lot is reported).

the original intent was to redirect via a point I control so that it was possible for me to moderate where things went to.

a side benefit is that I'd have visibility over things like links through to affiliates and could hold those third parties to account.

I've never used the analytics aspect of the redirect, but had used the blocking aspect... but arguably it's no longer needed.

however to fix it now requires major surgery, and I'm kinda waiting for me to rewrite the frontend... but I've not made much progress as my day job consumes my time and effort.

it's on the list of features to remove, it's a failed experiment in safety + accountability, it does work, but probably isn't worth the inconvenience created.

thanks for the explanation. for us non i.t. types we just think it's a simple thing but have no idea about all the things that go on behind the scenes.

it's especially confusing when someone creates a link but then types a description of what the link is instead of showing the https .... for example " cheap gumwall tyres " so you have no idea if it's a mark all read type scenario, daily heils website or an actual link to cheap gumwall tyres.

if it goes through you and you moderate that must help stop people linking malicious websites or websites with known viruses on via databases of dodgy websites and ones to avoid. but it's rare i click on a website that i don't know or has some weird web address just in case of scams viruses

Not sure if correct place to ask, but is there a reason the top threads I see in General aren’t in order of newest replies?

1 Attachment

Yes... more easily seen on tablet or desktop view.

4 of those are pinned to the top (and sorted by last reply).

3 of those are themselves forums (and sorted by magic - i.e. some trade-off on number of comments, items, recency).

and then everything else is sorted by last reply time.

1 Attachment

Ahhhh got it. Thanks

Has the DNS been been hijacked? I'm seeing this:

1 Attachment

the old microco.sm domain expired, and it appears somewhere in there it affected the Cloudflare CNAME flattening when it got nuked.

I've removed microco.sm from my Cloudflare account, which prevents the CNAME flattening... and that resolved it.

I was very fucking worried briefly.

This.

I even joined the fb group to see the end times had arrived.

Worst morning of my life