[MJSplot_author]

I just want to chime in and say that I've had a look and a quick play with mypost.io and think it looks awesome. Like many of the links on this HN thread, but with way more feature.

As you are allowing HTML entry, how are you protecting against Javascript inside user created pages?

[mattbgates]

I appreciate your great feedback. I barely had any influence when writing it, but all I knew was that I wanted to be able to write HTML and CSS -- and help my visitors with learning the basics, without having to even sign up for an account. All HTML is allowed though iframes seem to be so/so -- sometimes they work, sometimes not.

There is certain Javascript that is allowed, but others I've had to disallow. The way I've been able to allow it and monitor it is through BBCode. Basically writing [script src=myjsfile.js][/script] or something like [script]alert('hey there');[/script] is how you can get Javascript on a post but it does go through a filter beforehand to scan for any potential harmful code. Trying to write javascript the original way doesn't usually work.

At one point, I had Javascript as a main feature in the Advanced Options section, but I've since removed it, as I saw its potential use for abuse. As more and more users are using it from around the world, it's kind of interesting to see the clever "hack codes" people come up with. For the most part, I've mostly filtered out all "dangerous" code, but it still arises occasionally as the Internet evolves and more people are clever.

Mainly with the hacks I've seen: people using it to redirect directly to their own spammy websites. People creating divs that block MyPost but show a message on top and you can't do anything but go to the person's website or link. I've been able to filter these types of codes and prevent them from being entered into a post. The thing with Javascript though, there are dozens of ways to write the same code.

I even had to build my own captcha as people learned how to automate the creation of mass-posts. Some Russian guy emailed me (it was in Russian, but the translator basically told me he was pissed off because I added the captcha), but I knew it was him who created about 2000 posts in less than an hour. They then learned how to somehow bypass the Google Recaptcha and so I ended up building my own, which fortunately, at the moment, has successfully stopped bots from being able to automatically post thousands of posts at a time.

I'd rather people use it for its true purpose: getting webpages up on the Internet in seconds; learning how easy it is to code, etc. than to have hundreds of thousands of "spam" posts on the website. So those have been my battles since creating it: fighting bots and fighting people who are coming up with clever ways to "hack it".