All posts by Rafael França

XSS vulnerability on Simple Form

There is a XSS vulnerability on Simple Form’s error options. Versions affected: >= 2.0.0 Not affected: < 2.0.0 Fixed versions: 3.1.0, 3.0.3, 2.1.2 Impact When Simple Form renders an error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the error message can be provided … »

Read more at the source

The new HTML sanitizer in Rails 4.2

The article below was originally written by Kasper Timm Hansen (@kaspth on github & twitter) about his work during the Google Summer of Code 2013. Kasper and I worked a lot changing the underlying implementation of the sanitize helper to give Rails developers a more robust, faster and secure solution to sanitize user input. This […]

Read more at the source

Bootstrap 3 support for Simple Form

We just released Simple Form 3.1.0.rc1 with support to Bootstrap 3. To make it possible, we leveled up the Wrapper API to make it more extensible and to allow developers to directly configure it instead of relying on global state. After such improvements, it was very easy to change the Simple Form configuration to work […]

Read more at the source

XSS vulnerability on Simple Form

There is a XSS vulnerability on Simple Form’s label, hint and error options. Fixed versions: 3.0.1, 2.1.1

Read more at the source

Please Read The Comments

March 19, 2014

I find the Don't Read The Comments movement kind of sad.

Comments sections are frequently misogynistic, homophobic, racist, and very often POORLY WRITTEN. Why bother reading them?
— Don't Read Comments (@AvoidComments) March 8, 2014

In 2006 I said that a blog without comments is not a blog and I stand behind that statement. There have been brief periods where my own blog has been temporarily without comments, but they will always come back as long as I'm in charge here.

I'm a fan of comments, warts and all. They're noisy, sure, but in my experience they reliably produce crowdsourced knowledge in aggregate. I understand being pressed for time, but if you want the complete picture, in the same way that you should follow all those little citation links in Wikipedia articles, you should read the comments.

I empathize with the complaint, believe me:

I used to believe that as an online writer, I had an obligation to read the comments. I thought that it was important from a fact-checking perspective, that it somehow would help me grow as a writer. What I’ve learned is that if there’s something wrong or important or even, sometimes, good about a story, someone will let you know. I’ve over the years amassed an amazing community of Salon readers who engage via email, who challenge me, who inspire new stories, who are decent people and treat me like one in return. What I was getting in the comments was a lot of anonymous “You suck, bitch.”

I admit it’s depressing for one who’s invested almost her entire career in online community to throw in the towel on it in this way. I want it to be better. But it’s just not. As a colleague once observed, “I just can’t take another letter from Angry Bad Divorce Guy.”

But that's so many pesky words, isn't it? TL;DR. Allow me to illustrate with a graph that your brain can absorb in milliseconds:

What is wrong with people, amirite?

I humbly submit that this is asking the wrong question.

What is wrong with us?

I agree with Anil Dash. If your website is full of assholes, it's your fault.

As it turns out, we have a way to prevent gangs of humans from acting like savage packs of animals. In fact, we've developed entire disciplines based around this goal over thousands of years. We just ignore most of the lessons that have been learned when we create our communities online. But, by simply learning from disciplines like urban planning, zoning regulations, crowd control, effective and humane policing, and the simple practices it takes to stage an effective public event, we can come up with a set of principles to prevent the overwhelming majority of the worst behaviors on the Internet.

If you run a website, you need to follow these steps. if you don't, you're making the web, and the world, a worse place. And it's your fault. Put another way, take some goddamn responsibility for what you unleash on the world.

In other words, if you are unwilling to moderate your online community, you don't deserve to have an online community. There's no end of websites recreating the glorious "no stupid rules" libertarian paradise documented in the Lord of the Flies in their comment sections, from scratch, each and every day. This ends exactly as you would expect it to.

However, demanding that every online community, every comment section, have active moderation is a tough sell:

Skilled moderators are difficult to find. A bad moderator is often worse than no moderator.
Do you have the budget to pay full time moderators?
Are your moderators around 24/7?
If you have a single moderator making unilateral decisions, who appeals their decisions? If you have multiple moderators, how do they resolve disagreements?
What happens when your moderators inevitably burn out or move on?

One of the reasons I launched the Discourse project was due to the utter lack of understanding of how you build software to help online discussion communities moderate themselves. Their survival depends on it.

What I learned building Stack Overflow, more than anything else, is this: the only form of moderation that scales with the community is the community itself. We became quite skilled at building systems for self governance of online communities, and one of the things I'm proudest of is that – if we did our jobs well – decades from now Stack Exchange will still be a network of viable, functioning, entirely self-governing communities.

It's always a people problem. This is absolutely true. But it's also true that software can profoundly affect people's behavior, and provide tools for encouraging positive behaviors while modifying and mitigating negative behaviors. All that stuff Anil Dash described as your responsibility? Discourse handles it automatically, even if the owner installs and then walks away forever.

These are the principles of civilized discourse that Discourse is founded on, that our discussion software is designed around. Civilization begins with software that actively works to help you create safe environments for having reasonable conversations with other human beings. On the Internet, even!

This is all a very long winded way of saying that effective immediately, Coding Horror is using Discourse to power its discussions.

You may have questions, so I will attempt to answer them:

This blog is now hosted on Ghost, which doesn't natively support comments. All previous TypePad comments were converted into Discourse. To the best of our ability, nothing was lost.
Discourse is still beta, but late beta. Expect changes and improvements as we make our way to 1.0.
Discourse is a companion area to this blog, a clubhouse for the community. You can visit there directly at discourse.codinghorror.com
Every new blog post here results in a corresponding topic being automatically created in the Discourse discussion area.
I do not, and will not, offer in-page commenting here. If you want to reply with a comment, you go next door to the community clubhouse. There's a fairly strong, but permeable, membrane between the editorial area here and the community area there. This is intentional.
At the bottom of each blog entry here you will find read only versions of all replies to the Discourse topic associated with this blog entry. I might eventually switch that to a "best of" algorithm so readers see the best comments without having to wade through dozens or hundreds of replies.

If you like what you see, Discourse is 100% free open source software, so you can easily set up the same system for your own blog. We even have a WordPress plugin to assist.

Now who's ready for some dogfooding?

[advertisement] Stack Overflow Careers matches the best developers (you!) with the best employers. You can search our job listings or create a profile and even let employers find you.

[…]

The Ruby Rails Aggregator