Hacker News new | past | comments | ask | show | jobs | submit login
on Aug 29, 2013 | hide | past | favorite


In the future, please feel free to file bugs like this here:


* For submissions. There are some other places it won't take effect until a server restart.

Any chance you could fix the expired links problem? Or is it a political decision? :)

My old and unnoticed Ask PG:

Quickfix for expired "More": Ability to disable pagination

Expired "More" link is very annoying. Especially for browsing such threads as "Who is Hiring".

I understand you don't have a time, so quick fix (and quite useful actually) - have an option to show the thread without pagination.

I also wish HN respected the RFC3986 recommendation that angle-brackets be usable for delimiting a URI in context. See <http://www.ietf.org/rfc/rfc3986.txt>.

I guess this goes on to prove that PG is yet another normal programmer like anyone else.

Do you know how often HN reacts negatively to someone (or some company (except Apple)) for flouting some standardization/programming/design rule?

Gives some perspective.

I think we knew this years ago when he released Arc without UTF-8 and an html generation library that used <font> and <table> instead of css (and got taken to task on reddit for it) :)

(or (except (some company) Apple))

Sorry... I couldn't help it :)

Are you missing the other arm of the 'or'? Try the following, which assumes 'except' returns null if the second parameter equals the first.

  (or someone
      (except 'Apple some-company))
As a general style, although somewhat inverted, I prefer 'tailing syntax':

    (except someone 'pg 'rtm '_sh)
    (except some-company 'Apple 'Weyland-Yutani))

Yeap... you are right... this is why I shouldn't never post from my phone :)

Not that this answers any part of the question, but I just created a redirect on Wikipedia for people who link without the apostrophe. (In case anyone's wondering why the broken link now works.)

This should be done automatically if you submit a link with an encodable character.

Other comments in this thread speculate about SQL-injection attacks, which are not a problem here because Hacker News doesn't use SQL. For interested readers, there was once a thread "How I Hacked Hacker News (with arc security advisory)"


begun 1548 days ago, and that still makes interesting reading, although I'm sure the original vulnerability has been fixed.

Looks like a poorly designed method to avoid SQL injections.

Doubt it - if I remember correctly, News uses its own storage engine (written on top of the file system) rather than a SQL database. Source at http://arclanguage.org/install

Even if it's not SQL oriented, it could still be to mitigate some kind of injection attack. This is an interesting question; I hope someone with more specific knowledge takes the time to answer it.

like foo.com'onclick="alert('hi');"

But yeah the right way to do this is to use a well-tested urlencoding library, not to strip out dangerous-looking characters.

PG didn't use SQL. Not sure why, I would love an explanation from PG himself. He's a great programmer and can teach us something while explaining his reasoning.

He did explain that at least once here. Someone brought it up about six months ago when they updated to the new Altair. Here is a related discussion from around that time. Sorry I couldn't find the one from PG. https://news.ycombinator.com/item?id=5239673

IIRC HN runs off a flat file, and doesn't use SQL, or anything else fancy simply because it isn't needed, and or because it adds unneeded complexity.

Thanks, looks good. HN was built before heroku and app engine then. Nowadays, putting a db-backed site on them is pretty easy zero-admin affair.

Nope. No SQL here.

Not to be confused with NoSQL.

Or whether or not you know SQL

It might be effective though. An occasional 'Ask PG' is better than an occasional security breach.

Yes, but wouldn't escaping the URL properly be a better solution than either?

I was under the impression that HN was completely invulnerable to SQL injection?

It doesn't use 'database' but still has openings, it's just code afterall. FYI: security breach != sql injection.

Yeah, it's about time we admit HN is pretty disastrous.

In what universe would changing a URL to something that doesn't work be a feature?

In my universe! Instead of receiving emails from my IT dept* to warn me of SPAM that I shouldn't click, including a FWD of the spam with the link that shouldn't be clicked, I'd receive, I dunno, pretty much anything else would be fine.

* No, really, this went on for the better part of a semester despite a diverse array of advice to the contrary.

The universe Apple occupies, of course.

It's almost as if Hacker News isn't actively updated/developed whatsoever...

Funny, I thought it was some sort of measure to prevent users from inadvertently causing an SQL injection on a vulnerable site by just clicking a malicious link.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact