LMFAO WTF?

Someone commented on 11.7% OF THE TIME, IT WORKS EVERY TIME. with the code to change the decks background.

Did someone find a way to make their profile picture massive or something?

I have an accusation to make: phantomspy. He recently commented on the deck 11.7% OF THE TIME, IT WORKS EVERY TIME., and that deck also has the troll face, unlike other deck on the site. Also, if you click on his recent comments, the troll face will appear on his profile.

(Sorry if it's not you, and hope I didn't offend anyone-I'm a bad detective)

If people keep breaking the front page with this code, the powers that be will remove the ability to use the code from everyone.

Which will make a lot of people very, very angry.

I came here to escape the stupidity... It followed me. Goddammit!

Can confirm it is indeed that user.

Just prevent html from being used anywhere other than the profile description. That'll solve most of the issues entirely as we already have the buttons.

For once, I might have to agree with a policy change. That's a great idea, Femme.

You know its good when I agree with it :P

Let's punish everyone for someone's vandalism, that'll show 'em.

I can see a case for disabling it in comments since they stream to the front page, but it's not like people don't use the img tag for a lot of legitimate reasons in comments. Decks are scarcely less personal than user pages and lack any means to effect pages outside themselves, so I see no reason to stop HTML from working in deck descriptions.

The image tag itself is unncessary for comments, because we have markdown syntax setup on the site.

People frequent deck pages more than they frequent a person's profile. So it gets to be annoying when you want to look through decks and so many of them just chug down your phone or pc.

While I do realize that for deck, cube, articles and deck update descriptions there shouldn't be a heavy implementation, just one on scripts. We do input other coding like scroll boxes, spoilers (I don't really like the current spoiler/accordions, just a personal taste), indents, font size and inbedded deck lists. Removing the ability for users to use redirect scripts and the background tag should solve the loading and site aesthetic problems that occur when users fiddle with code.

I mean, sure we have the option to remove all visible extra coding in our settings, but I don't think that is heavily used by a majority of our user base. That and as this site becomes more popular and gradually starts to house a larger user base, we are going to see these issue occur more and more often and will have to implement more heavy handed solutions in the future. We can't really expect that the surplus of new users will keep the same "for the site" mentality as the older generation of users.

can it be an upgraded user thing? i mean the whole username customization is an upgraded user thing so why not make profile customization the same? upgraded users are usually more responsible anyways

That too. We do have the coding forum to be upgraded user only after all.

Markdown Syntax does not substitute html, it provides shorthand for it for usability purposes. Your image above is still an img tag, the website is processing a string no different from just keying in an img src. To stop tags working but keep markdown syntax working might be quite a trick, but hey if it's just a checkbox somewhere go for it, I haven't run enough forums to know how difficult it is to selectively process HTML.

Though it may be worth mentioning that Markdown is completely borked if you're nested inside any tag.

If a deck is bothersome to look at then don't look at it. That's sort of on the user to make an attractive deck page if they're going to edit it at all, hell that you can Upvote decks but not users gives you more incentive to make them attractive than the user page. That a user page can be a seizure inducing neon nightmare doesn't strike me as any worse than a deck, but then I can't speak to how others use the site.

Upgraded User only has its merits, since if someone's in for five bucks they have at least something to discourage them from tempting an account ban. But I'm not a fan of haves and have nots, I'd rather just punish those that abuse the privilege.

Problem is is that that doesn't solve the issue (wow, never thought I'd end up putting double words in twice). Even if you punish people for abusing it, others will still do it. We want to stop it so we don't have to punish people, spend the time to punish them, and have the site borked for other users. These little things do tarnish the site's reputation and credibility, even if it is by a small amount.

As it is now, yes people can use code in such a way that it affects pages outside the one they're editing. That is in comments, not deck pages, and I can see the merit in limiting html in comments since you can leave those on other users' pages and those comments stream to the front page.

Users may make a mess of their own pages, they may also make them look much nicer. You don't rob the artist of charcoal because someone ate it and couldn't stop vomiting, denying everyone else the option is as much punishment as what you seek to avoid by not allowing it at all. Not everyone likes the same look, there are a great many user pages I'm sure the user worked very hard on and thinks very highly of that I find to be complete eyesores, and a few decks I know for a fact people hate the look of that I have no problem with. It's their pages, their decks, it makes 'em happy, I wouldn't deny any of them.

There's a reason I get annoyed when people start saying "Oh yeah, here you go. Here's exactly how you override various site features using code we can't verify! Sure, I'll give this information to somebody who seems like they have no idea how HTML works!"

This isn't MySpace. I've never been ok with the idea that people are overwriting or breaking parts of the site just so they can put some tastelessly obnoxious backgrounds up. If we implement it as a feature for upgraded users, then fine. But I feel like this has just been allowed to go on because certain high-profile users endorsed the idea and nobody else has the discretion to tell them it might not be so grand.

Now, this would be a lot of work (I think? No idea about the coding stuff) but if we implemented a feature for profile customization LIKE the username customization and got rid of the open sandbox it is now that would essentially solve it. Just have a place in your settings to upload a background image, change the font on your page, etc. This would also make it accessible to code-illiterate users who want to customize (I don't want to, but if I did it would be a pain). By implementing our own system it would stop people from abusing the current freedoms while not getting rid of them either. If it works in the profiles, then we could even consider adding it to deck/cube/etc. pages as well. Basically ensures the formatting doesn't go crazy because we set it up, and the user just inputs the actual images or whatever.

Dunno if that's feasible or just too much work for the boss right now, but it seems like an option to consider anyway.

I, for one, am tired of people breaking the website (intentionally or otherwise).

Maybe just ban all HTML code in comments? You could still pics and links thanks to the TO-specific code and it would prevent the home page from being messed up every two seconds.

To solve this issue once and for all though, wouldn't it just be simpler to take a vote? It feels (to me, at least) that everyone agrees that coding in comments is not such a great idea, and the only disagreements are regarding deck pages coding and profile coding. There could be a featured post with a vote with four answers, no code, profile only, deck only, and both. That way, at least, there wouldn't be any arguments about what we have to change (knowing of course that the final decision would come down to yeago).

Yes, I feel like lack of HTML coding would make the site loose something as even the names (as far as I know) are also HTML with hex color codes for the name flairs.

So I would like a vote, just like Watermelon said to try (in my opinion) to restrict code to just in profiles and decks pages. Though loosing imbedded images are an inconvenience, at least we can still link to them, though the (image) links themselves may cause an issue to what they are linking.

But I assume YeaGo solved the link issue when that was added in the first place. In short, I'm down for a featured vote as to how to deal with the HTML epidemic.

In all honesty, I'm not interested in a vote. Voting is fine if there are things that don't pose an overt threat or problem for the site. I don't believe this is one of those cases.

The fact that users are basically allowed to implement whatever regardless of their qualifications to use HTML, and that we allow that as a matter of de facto policy, is staggering to me.

Again, this is not MySpace. It's a deck building site. I'm all for user expression, but not at the expense of site security and function. We ought to implement some kind of actual feature to handle things like username customization and maybe profile backgrounds.

I'm the one who gets to find and fix 95% of these issues. And they're not nearly rare enough for me to dismiss. I had to beg to get the option to disable scripts, I'm still asking for the font-size attribute to be disabled, and it took an actual attack to get any code disabled in the comments.

yeaGO has a different philosophy than I do, and it's ultimately his call, but it's frankly a perpetual pain in my ass to babysit people who don't have the common sense and discretion to not break things or to not implement code they have no idea how to use. I've been patient with if this far, I think, but I'm getting very tired of it all.

Don't leave us Epoch! Who will keep me in line?!

I'm not threatening to leave. I just think it's time for a paradigm shift regarding what users are and aren't allowed to do. The lassiez-faire approach is fine to some extent, but users simply should not have the ability to alter the site to the degree that they currently can. It's obnoxious at best and disruptive all too often. And it represents a security threat, to be honest.

its an ordinary bug that needs to be fixed

The fact that specific code is permitted in comments may be a bug now that we've decided it's something that users shouldn't be able to do. The fact that we, for whatever reason, permit it on user pages and decks is, with all due respect, a matter of policy that needs to be reevaluated.

I'm with epoch on this one. Safety and security need to be first.

That, and some people can't pick a decent background to save their lives.

I'm all for stopping people from messing up the background of the site, but as far as restricting the img tag, I think that's not a great idea.

I know that I'm a corner case, but I always post images using the real html (not markdown) syntax, oftentimes because scans of my alters come out way too large to post politely in a comment. So, I specify the width/height of the image using the html tag to make the images more convenient for both the user I'm posting to and anyone who views that user's page.

Thus, the site's markdown for images doesn't quite suit my needs.

If someone asks how something is done I'd rather teach them how it's done than leave them to skimming over other people's page sources and HTML tutorials that don't cover exactly what they want so they won't bother reading it all. The information is out there, that HTML exists and that it works here at T/O is hardly a secret, and it's so ubiquitous here it's hardly fair to assume someone's intent is malicious when just asking how something's done. And it's not like this attack came from ignorance. It wasn't an open tag breaking a page, it was HTML doing exactly what it was designed to do. That it was allowed to do that has been labeled a bug, but the HTML itself was sound.

Until I see someone like yeaGO who knows how Markdown syntax works I'm going to assume that it is not a simple matter to simply disable HTML and keep Markdown enabled. Markdown injects HTML into your post when you submit it, it doesn't replace it. When your browser renders your post it's rendering HTML, not Markdown, the trick would be to render all text as plain text except for tags added by Markdown. I guess you could do it by replacing all <> characters with their &# equivalents, then processing Markdown and submitting, but that's armchair sysadmining.

As vehemently as I'm arguing for free, responsible use of this code, I do not think it should be a vote. At least, not one among users. This is a website policy issue, that should remain in the hands of the people that own and maintain the site. A user vote might show you what's popular, but not what's tenable for the mods to maintain.

I can't speak to how hard Epochalyptik has to work to clean up after irresponsible or malicious coders, but if he's overworked I'd rather see more mods hired on than see features taken away.

There's a point at which "hiring" more people to deal with issues instead of actually remediation get those issues is just an extension of poor practice. We're not here to teach people HTML. We're not here so that we can watch 24/7 for broken code. We're here to improve the function and behavior of the community and to act as resources for our users. If the actions of the users are so frequently disruptive, it would indicate to me that we should stop those actions rather than nitpick about when we care and how much we should care. I'd rather see a foolproof theme system with fewer options but that is less intrusive than see so-and-so's neon fantasy background with unreadable bright script fonts and outrageous menu bloom. I'd rather see an approval-based upvote system than a link-based one. The ability to do something doesn't inherently serve as the justification for doing it or even the justification for the ability to do it.

And if we decide that profile customization is fine, then we should think about the extent to which certain changes should be allowed. For example, is it really necessary for someone to change how my inventory menu looks while I'm on their page? Should I have to ask people not to embed auto-play media?

To some extent, this probably seems like so much bitching. And to some extent, it is. But I'd rather formalize these things than have to make umpteen judgment calls about them and then get into these wasteful squabbles over why User X can't have a 50-pt. font for his username.

We don't hire mods FancyTuesday.

But yes, we've also had issues in the past where we have gotten bots to get past the script restrictions we have on non-upgraded users to spam auto-directing advertisement links in deck pages, profiles and comments. As a security issue I completely agree with Epoch on this regard.

What FAMOUSWATERMELON said about the profile code being a upgraded user only feature along the same lines as our username code I think is actually a wonderful idea. Though it would take a long time to figure out what we can and cannot implement as the coding list for it all is pretty massive.

However, I do believe that these codes should be automatically disabled for anyone who has less than 1k resolution width, as that resolution is more likely to be tied with people who have lower quality pc's.

If the purpose is to serve the community and this is a feature enjoyed by the community (demonstratively so by them using it) then the question becomes where exactly the line is, at what point is it more damaging than enriching. I think we've found that line, and it's in user comments, and I would agree, the font-size tag in usernames.

They may change the view of your inventory screen while on their page, they're also changing the view of their inventory screen while on their page and I'd wager they spend a lot more time on it than anyone else. It's that way because it's how they like it. I modified .modal-content because I like a consistent look; the browns clashed with my blues, the letter case in the dropdown menu was a mess and I even fixed the page jump when you open it. I fixed all those issues and now I'm happy with my page.

Hire may not have been the most strictly accurate term, but I know how much work this sort of thing can be and it is practically a job. A thankless job you don't get paid for. As the community grows you need more people to handle it, that's just how it goes.

Wait, I said that? XD

Regardless, I do think that could work, but honestly, being an upgraded user doesn't guarantee anything. Just a couple weeks ago there was that guy using the automatic +1 code on his deck, and he was definitely upgraded.

You say that's where the line is, and I can't help but assume that's because that's where you happen to want the line to be.

How about this analogy? Someone dents your car. But really, they're the victim because your car also dented their car back. You wouldn't advance that argument, would you?

The reality of website management is that you need to be concerned not with the ideal or with the average, but with the lowest common denominator. I flatly do not trust users to implement HTML properly. How many people have broken something because they copied and pasted someone's code and started randomly dicking with it? A lot. How many people post threads in this forum asking for someone else to tell them how to make their code do something? More than a few.

There's a reason why most true forums don't permit users to implement HTML. They allow shortcode because the worst you get with that is some plain text that doesn't make sense. You don't get people changing where links go or what happens when you load a page.

I agree that customization is a nice thing. It adds to the character of the site. But for the umpteenth time, having a foolproof system for customization is vastly more sustainable and less labor-intensive than having a carefree system in which people are free to basically implement test code on your development site.

I would be fine with a user page theme pack, with upgraded users getting the option to upload their own background image and set hex codes for the colors of various page elements. All you have to do then is make sure nobody set the background to a picture of their dick. Which is the same thing you have to do now, except you don't have to worry that someone changed all of the links on their page to redirect to a deck upvote link, or that someone's going to autoplay the John Cena intro at max volume, or that nobody will be able to read the page anymore.

It may not mean anything about one's character, but it does mean that you put $5 into the site as compensation. Decks can be deleted if users are found to be padding their deck ratings, and if you get yourself banned for repeated or egregious offenses the site still has your money. $5 is more than worth the time it takes to undo most of these shenanigans.

Well of course that's where I want it to be. That's my opinion, the only thing to which I'm an authority on. I do not claim to know that it is absolutely true that the line I've drawn is the best solution to the problem the site is facing, I'm proposing what I would do to solve it.

Where I believe we differ is on what exactly that problem is. To me, the problem is that users can use code that modifies pages other than their own. It does not bother me that users can make obnoxious deck or user pages as I am in no way obliged to look at them, and I personally have no problem with a member of staff subjectively deciding "this has to go" if something is too obnoxious.

I'm afraid I don't follow your analogy as it pertains to anything I've said. I was going with more of a "yelling fire in a crowded theater" angle. We have a freedom, but there is a line where that freedom ceases to be practical or becomes detrimental. I agree that there is a problem and it should be addressed, I address it by stripping html tag brackets before evaluating markdown syntax in comments, this remedies the problem as I see it without placing limits on a lot of good work users have done here.

I'm just going to take my CS degree and walk away.

Oh, and a hint at the problem: style sheets.

yes that is the fix we went with, just stripping it from comments. it was actually just a bug because that was how it was meant to be and I believe it was working as of a few weeks ago.

@FancyTuesday: The problem is that your view of the problem doesn't extend to cover the things you happen to like. Nothing I have said indicates that I think the problem is solely with users modifying someone else's page. If your use merely created an ugly page and didn't break divs or potentially redirect users to malicious pages or upvote farms, then I wouldn't have a managerial problem with it.

If your argument against limiting HTML customization of user pages and decks is that the owner spends more time on those pages than visitors and the visitors will just have to suck it up, then I'm not at all sorry to tell you that you're advancing a poor argument. If your use of the site (your car) damages or detracts from my use of the site (my car) in any severe technical manner (operability due to an accident), then your use is not covered under any creative freedom.

I think you've yet to advance any actual counterargument as to why allowing non-technical and occasionally malicious users to implement HTML is preferable to developing a system in which customization is still possible, but is managed and does not have the same breadth and depth as it currently does.

@yeaGO: I believe CB and I have been finding that code in comments here and there maybe every other month or so. If the feature to strip it from comments was implemented at one time, I don't know that it has always worked as intended.

what management or whatever are you proposing?

one thing on the list to do is to somehow validate html in a way that is non-intrusive or not too strict. I'm thinking of just sending it all through a basic cleaning and if people's custom stuff breaks then considering from there to roll back.

to throw my hat into the debate though, i think it always comes down to interface error on the part of the site. i don't think anyone is defending defacements and it seems to me there is special territory when it comes to the concept of the user's personal spaces on the site, aka their user page and their decks.

I agree that there's a special domain when it comes to a user's personal pages, but that domain does not protect him or her in such a way that he or she isn't accountable for his or her actions there.

What I'm proposing is basically some kind of customization option akin to WordPress. We offer maybe two or three flat themes for basic users and a customization interface for upgraders. Both systems work on the same principle: they use an interface to modify defined page elements in specific ways.

So a "background image" field would allow you to upload an image to use as your background (whether or not this would require approval first to filter "unsavory" images is a matter of philosophy). A "text color" field would allow you to input a hex code for all text on the page. A "button color" field would do the same for buttons. Maybe a font family field to apply different typefaces to different elements. So on and so forth.

Basically, you allow a high degree of customization by hiding the actual code from the user and allowing him or her to input specific, simple modifications to various elements without having to manually overwrite the page with code.

And to a larger point, I think the site's markdown is progressing to the point where HTML may soon no longer be necessary. Many of the shortcode options do what much of the HTML used to do. The few things that it doesn't, such as changing text color or font, could be added. And if we moved away from HTML even in comments, it would eliminate the numerous problems that used to stem from unclosed tags.

i don't think any of that would be neccessary to prevent the kinds of things we don't want. if there is something we don't want, the site should just strip it out. i don't think that requires any kind of overhaul of the current user input mechanisms, although i do think some cleaning up is in order.

One of the main benefits is that this kind of system would just prevent people from breaking the site. I believe it would be simpler to do input validation on something like a hex code than to retroactively identify things we don't like and then write new ways to parse them out. But I defer to you on the coding.

breaking the site was just an ordinary bug, not any user's fault.

i was toying around the other night with some means of tidying up the user input without breaking common things like youtube videos. its a tricky area.

That my position is one I like is pretty self evident. I take it because it's what I support. You disagree with that position because it does not account for things that matter to you, our priorities are different, you hit the nail pretty well on the head above with the line about accounting for lowest common denominator and not average. You value ease of moderation over versatility in customization, a pretty understandable priority for a moderator, but not one I share as someone who doesn't particularly like a lot of TappedOut's layout.

Thank you for clarifying your analogy, I can see where it's coming from now. To that I would say that we haven't been using the same terms, or that you may be assuming I've taken a position I didn't mean to. "Detracts in any severe manner" is pretty subjective, having a hard time reading your navbar while on a specific page isn't what I'd call a severe obstacle, but I'm speaking in terms of deliberate cosmetic choices some people like or don't like and taking for granted that a moderator can simply say "this goes to far, change it." Unfortunately, the code for cosmetic changes and more elaborate actions overlap a lot.

I would not defend the use, in any capacity, of something that redirects or misleads the user, and any code that exclusively does those things should be prohibited. Problem is that very few things do that without doing something beneficial as well, and in my view that is the purpose of moderation. Using something one way is prohibited and will be punished, using it another way is allowed. I can use a knife to stab somebody, I'm not prohibited from owning a knife because it has many uses that aren't felonious.

My argument is simply that I believe the freedom to implement our own code enables enough good to warrant the effort it takes to protect it. Yes it does take some care to moderate, but I don't like punishing people who've done nothing wrong for the actions of others, the actions of a dozen jackasses weighed against the hundreds, maybe thousands of user pages and decks that someone put their time into making just so.

We both want what's best for the community, I just value this feature enough to maintain it. An easy position to take, maybe, since you're the one maintaining it, but I am at least willing to spend hours arguing about it on the internet.

The innocent victim card is, as I've explained, not applicable to site moderation. Your freedom to customize something does not necessarily take precedence over our concern for site security. Your ability to create a redirect to a helpful page does not mean that redirects should be permissible. So I'll dispense with your argument that we should somehow find the least slippery parts of the slope and instead argue that we should build a trail so we aren't constantly sliding down.

One of the top 100 universities in the nation pays me tens of thousands of dollars per year to advise its leadership on matters of cybersecurity. I'm telling you that from an administrative standpoint, the slippery slope and the idea that we should moderate on a case-by-case basis to determine whether someone is actually exploiting a glaring weakness is laughable. I acknowledge that a public forum is different from a university. However, the principles of website management do not change radically between the two. If yeaGO wants to accept the risk, as thus far he has, that someone will find some new way to misuse the site in a malicious fashion and prompt us to spend hours fixing the issue, then that is his prerogative. But I'm stating, as a matter of fact, that, regarding what's best for the function and risk posture of the site, the safer, more efficient, and more effective way to handle all of this is to limit user authorizations and use input-validated fields and shortcode-based customization to alter only the specific parts of the site that we select to be user alterable. It prevents things like redirect attacks without us having to wait for them to occur and hope not to suffer too much from the fallout while bandaging them. It provides some degree of customization (and we can expand or restrict the exact degree as necessary) without much of the risk involved in allowing random people to implement unverified code on our website.

And the whole idea that your or anyone else's hours spent customizing pages is somehow a defense against our reworking of the system is without merit. While we would ideally not offend anyone or divest them of their efforts, doing what is right is not a matter of doing what is liked, and it is especially not a matter of doing what is liked by a small number of people who do something that, by its very principles, breaks certain aspects of the site. You accept the risk if you do some renovations and remove a fire code-mandated alarm in the process of beautifying your ceiling. The same principle applies here. You don't earn squatter's rights for overriding the site's settings.

You can conjecture endlessly about the utilitarian merit of allowing free HTML customization versus allowing cool new themes versus building a code blacklist or whitelist, but unless you're willing to take the time to actually think about the impact of your arguments on the management process and about whether what you're proposing is really in the interest of the site over the interests of a few invested users, then you aren't really offering anything of salience.

thought he was pretty clear he wasn't talking about security issues

The security issues are inseparable from the common use issues when you're talking about allowing people to enter code. Unless you whitelist a very small and very deliberate selection of tags and attributes, or unless you build a different system for user customization, you are introducing malicious code risk and general service continuity risk.

His third and fourth paragraphs must concede the point that there is potential for abuse in the kind of system we currently have.

i don't know about all of these concessions you are after but what security concerns do you foresee? i really think the issue of moderation is a separate thing entirely. if there are exploits they require technical fixes not moderation fixes.