[kris_wayton]

Since you can insert arbitrary JS, it feels like you could write a loop that ajax posts a bunch of new webspaces when someone visits a webspace. Might look into protecting againt that.

[Visurox]

Just for now. Later after the beta (which is nearly finished) no extern stuff will work, just the basics. But you’re absolutely correct!

[Visurox]

src and href are now forbidden tags. should be filter out the most crap.

[tekni5]

The site doesn't seem to work, says "Wrong secret word" for hackernews.

Is there a list of pages people have made?

So with out src & href you can't have links, seem like a massive limitation. Was trying to a submit a personal site with external links, guess it's no use now.

[kris_wayton]

There's srcset, and things like generating content with JS, inline css base64 images (background: url(data:...), and lots of other loopholes. The author is going to re-live a lockdown path many others have gone through ;)

[Visurox]

The prob is, when you allow clickable links, you cant count the spam sites or with evil code.