Hi folks,
a) It is important for PBase to evaluate how XSS attacks would work. It is completely untrue that _any_ JS yeilds to XSS. Specifically, any JS code that does not take input from users and/or html encodes any output correctly is hard to attack. Is it 100% attack proof? Who knows. But by the same logic, neither is any website, JS or not. So we are not talking about expert attackers - the INTERNET is susceptible to them. The way in which the news announcement came out was like this XSS site is some sort of radical discovery.
b) I am hugely irked by the continuous hammer-handed attitude shown. PBase - we don't use statcounter because we WANT to. We use it because we NEED to. And we need to, because your own implementations are patchy to say the least (besides looking at vertical lines of PBase's own stats, it does not provide any useful information to us). Same holds true for your priniting service - no idea when user printing will come out, but who uses PBase to print their _own_ photos, and that too, only framed?
You just don't go about ripping down full support just because someone pointed you to the XSS site.
c) I stand by the fact that this is a Photo hosting site. Srijith, you have a point about bad PR if bad things happen, but my point is that the answer to that is not disabling JS. Disable external script reference if you want. Dsiable form inputs if you want. Force HTML encoding in any document.write if you want. And also, if a user decides to use JS on his site, put out a disclaimer form stating that the user indemnifies PBase with such use and the user recognizes that JS could potentially be exploited.
Again, completely ham-handed and with no respect to users. Had PBase the decency to send all users an _email_ a week in advance, I would have gladly been more supportive, even to this nature of stripping.
Irked beyond belief
arjun