
I Got Hacked by Hacker News Readers - bbrennan
http://bbrennan.info/blog/hacked-by-hacker-news
======
krapp
I think a lot of people probably get burned not realizing that the Markdown
spec includes all valid HTML by default.

Still, I don't think building a Markdown parser that doesn't sanitize or
whitelist allowed tags by default is really excusable, even if it would be
slower.

And i've seen several mvp projects posted here that crash if you so much as
post an empty form. It seems to be an easy thing to forget.

------
Nadya
At least they did something cute/funny rather than fullscreen a liveleak gore
video or worse. :)

 _> This has also made me a more fervent believer in security-by-default._

I've yet to understand why anyone would be against security-by-default. How
many users would rather have set of [x] features that for whatever reason
require an insecure setup compared to those who would prefer a secure setup?

~~~
bbrennan
I think Angular is a good example where security-by-default can get annoying.

Angular provides ng-bind-html to inject strings of HTML into the dom, but in
order to use it you have to add the ngSanitize module, add $sce to your
controller, and run your string through $sce.trustAsHtml().

The first time I did this it probably took me half an hour, even though the
HTML was just a string constant.

I think a lot of libraries/frameworks choose functionality-by-default over
security-by-default to make the onboarding process easier and to promote cool
features. If Marked sanitized input by default, how many people would have
assumed it simply wasn't capable of handling embedded HTML?

------
lightlyused
Ah, the good old days.

