

Show HN: Profile.io - Profiles for Developers - dannyr
http://profile.io

======
Xk
Escape < and > (and everything else), and check the site for XSS. I don't mean
to be rude, and I realize you two coded this up in a really short amount of
time -- but before this site goes live it would be best to have it secure.

Demo: <http://profile.io/foobar>

[EDIT] As someone else pointed out, viewing the list-of-developers page puts
up the XSS, which is even worse. I didn't know that page existed.

[EDIT2] It turns out I broke a lot more than I tried to. I also own the
account 'xss' which has an unclosed '<' inside of its name, and that destroys
half the page. I'm really sorry, please delete that account.

[EDIT3] I broke that account even more in order to fix it. I had an unclosed
script tag, so I closed it off in my 'location'. If you fix the xss in just
the profile information, then the page will get messed up again.

[EDIT4] The 'test' account was deleted, but the XSS's haven't been fixed?
Updated to point to a different page I had made.

~~~
dannyr
Fixed. Let me know if we missed anything.

I wish we could use Django's autoescape filter but App Engine's SDK ships with
just 0.96 by default.

We can only upgrade to a later version of Django in Prod and not locally.

~~~
Xk
Usernames aren't sanitized yet. (As is visible with the '<asdf' in the
'foobar' link above.)

EG: <http://profile.io/xss2>

~~~
qeorge
Also, you missed the login form (both in the header and on
<http://profile.io/login>). Its echoing the username directly, e.g., "Username
<script>alert(1)</script> was not found"

------
StavrosK
"Favorite cloud provider?" God, can we at least not make it easy for people to
stereotype us? The only non-silly answer is "water vapour".

~~~
hallmark
Please explain why "Amazon Web Services" would be a silly answer.

~~~
StavrosK
Because "cloud" means nothing.

~~~
hallmark
Really? To me as a developer, "cloud" means PaaS or IaaS.

It's fun to ridicule a trendy word when it is misused by marketing types. But
among smart hackers, aren't we past that?

~~~
StavrosK
Okay, I can see how GAE is a PaaS. Is AWS? If so, why isn't linode? And, by
extension, any server...

------
dustball
My take (dannyr and I built this) -- this is like an "about.me" but for
developers. You add your GitHub account, add your programming languages, etc.
And (my favorite) you add all the projects you are building -- for example
when you add an Android app, it automatically links to the Android Market,
pulls in the app icon, etc.

This is meant for developers to have a decent place to showcase their geek.
(And the domain is cool, no?)

Thanks, love you all!

Brian and Danny @ SXSW

PS: This app was built on StartBus -- the entire site was made on a moving bus
from SF->Austin :)

~~~
kmfrk
How exactly is this different from flavors.me?

forrst.me also has more traction, and they are both formidable competitors, so
I'd love some great selling points.

What would make your service very, very interesting is to focus entirely on
creating a presentable mix of a personal homepage and a resumé - GitHub, Stack
Overflow, Codelesson badges(!), and such. LinkedIn isn't that interesting in
many regards, and it'd be great if you found the key to a good resumé and used
that to build your foundation on.

forrst.me is more of a social web discoverability tool, while flavors.me
creates easy-to-make web presences.

~~~
phlux
>...so I'd love some great selling points.

They built it while riding the bus, what more could one ask for?

~~~
kmfrk
That makes it a good story, not a good service. :)

~~~
dannyr
It's the niche.

Flavors.Me != Profile.io in the same way StackOverflow != Quora.

~~~
kmfrk
I don't see the niche argument applying to a service that basically isn't a
community; there is no in-service exchange between the users.

flavors.me has a better design and presumably offers more service hooks than
profile.io.

Saying that profile.io is a niche product in the light of flavors.me just
seems like PR-ish for "less appeal". :) If it's vertical, it can't be the same
as a service with a wide appeal.

From what profile.io looks like to me now, it's just flavors.me with poorer
design and less traction. You can try to beat flavors.me in design (good luck
with that), or you can try defining your own project and set it apart from the
competition.

Information on profile.io is very scant, so I know very little about the
project. I'm outlining a gap I'd like to see someone figure out and fill. I
hope the project wasn't inspired by AOL's acquisition of about.me, because
people in the Valley still can't wrap their brain about that. :)

~~~
dannyr
You are comparing a 3-day version of Profile.io to a 2+ year-old site. We have
plans that would differentiate ourselves from the other services out there but
we can't build all of them in a matter of days.

It is not entirely inspired by About.me but we got some inspiration from it
mainly with the design.

If you look at my previous HN submissions, Profile.io is a byproduct of my
previous project - Launchset. It's just a much simpler version.

Seriously though, why the negativity? As somebody who loves to build apps, I
never judge other people's app in its initial version. All ideas/apps evolve.

~~~
kmfrk
I have spent more than 30 minutes of my time giving you suggestions for your
service and outlining challenges that lie ahead.

If the about.me and appeal remarks seemed hostile, it was because I didn't
know that I was talking to one of the creators. (Like I've said before, HN
need to highlight that somehow.)

If that's not positive, I honestly don't know what is. And to give you some
honest advice (I know how you hate that, though), your attitude to feedback
isn't going to help you succeed. Quite the contrary.

Helping people is a little like being a parent; to your children, you're a
parent first, and a friend second. You may have to make some unpopular
decisions, but they're in the best interest of the person.

------
dannyr
Hello fellow HNers:

We built Profile.io as part of StartupBus.

It is currently private beta but I have invites.

You can create an account using this link:

<http://profile.io/invite/HACKERNEWS>

Site is pretty barebones but we will be adding more features and fixing bugs
in the next few days.

Hopefully, we'll be selected as finalists for StartupBus and get to demo it on
Monday at SxSW.

Thanks!

~~~
akkartik
Anybody else getting anything besides "Email is not valid or empty." when they
put emails in? I tried a few test ones, and nothing's getting through.

~~~
dannyr
Sorry. forgot 'not' when checking is_email_valid.

It is now fixed. Try again.

------
BoppreH
Apparently there's someone called "<script>alert(1)</script>". Please sanitize
this person's name before displaying it. Thank you.

~~~
Xk
Yeah, that's me -- I can't change my name, but if I could I would. I didn't
realize there was the developer list and thought I would have an isolated test
page.

------
techietim
I hope you don't plan on keeping the current URL for the developer listing, as
humorous as it is:

[http://profile.io/developers/developers/developers/developer...](http://profile.io/developers/developers/developers/developers)

~~~
ks
It seems that someone has inserted javascript code in their profile. That page
is full of javascript message boxes saying "xss1", "xss2" etc.

------
robeastham
This is a little similar to my new app/startup:

<http://www.mightycv.com>

Mighty CV is a little more free form and geared towards producing a hacker
centric traditional style résumé and so not quite the same as profile.io.

Just signed up for a beta account at profile.io and it looks promising.
Perhaps we could provide integration to each others services.

------
d0m
Traceback (most recent call last): File
"/base/python_runtime/python_lib/versions/1/google/appengine/ext/webapp/__init__.py",
line 517, in __call__ handler.post(*groups) File
"/base/data/home/apps/profileioweb/1.348935554744823342/main.py", line 60, in
post app =
Application(email=self.request.get('email'),desc=self.request.get('desc'))
File
"/base/python_runtime/python_lib/versions/1/google/appengine/ext/db/__init__.py",
line 815, in __init__ prop.__set__(self, value) File
"/base/python_runtime/python_lib/versions/1/google/appengine/ext/db/__init__.py",
line 544, in __set__ value = self.validate(value) File
"/base/python_runtime/python_lib/versions/1/google/appengine/ext/db/__init__.py",
line 2437, in validate raise BadValueError('Property %s is not multi-line' %
self.name) BadValueError: Property desc is not multi-line

:D

~~~
dannyr
We are using StringProperty. We need to use TextProperty.

We are going to try to fix this soon.

~~~
jessedhillon
I think the bigger issue is that your tracebacks are publicly visible.

~~~
dustball
Great point, thanks.

Did I mention we made this entire site on a BUS RIDE? :)

~~~
jessedhillon
Sure, I appreciate that you guys hacked this together under extremely tight
conditions and I don't mean to be a dick about it. It's just that this is
something which has the potential to be _really_ bad, and depending on your
framework you can usually fix this with a simple `debug = false` or similar.

------
jkkramer
Neat idea. Minor nits:

\- Would be nice if custom background images tiled

\- Not clear whether to enter usernames or URLs for accounts

\- "Add an Technology" typo

\- No cancel buttons on the forms

\- Popup forms feel a little sluggish to open. Any way to have their HTML
preloaded?

\- List of tech, etc could use some typography/color to make it more readable

------
agentultra
I got a weird validation error from your form. Apparently the text field isn't
supposed to accept multi-line fields?

I'm curious about the site and if it will offer any benefits over my own
personal site.

Cheers

------
dorkitude
i like it. you guys are definitely one to watch out for on #StartupBus.

------
hroman
Tried to register but got this <http://pastie.org/1661494>.

~~~
dustball
Thanks for the report! We're actively coding now at SXSW :)

Bug should be fixed now :)

------
gm
this is great... But the link to the SO user profile is broken, at least for
me... Methinks a SO username is not enough to construct a link to the profile

Great work!

~~~
dannyr
yeah. you need an id at least (e.g. stackoverflow.com/user/1234)

------
shiftb
Congrats guys! Was awesome watching you build it.

------
dustball
Unrelated: look who we're sitting next to :) <http://i.imgur.com/RNSK5.jpg>

(Angry birds just got $45m yesterday!)

~~~
mychacho
Dude, I want one of these sweatshirts :)

------
elvirs
looks a lot like turkish kimdir.com

