Looks like you're being hacked really bad. I got redirected to Google! It was fun to watch though! Add <iframe sandbox="allow-forms"> and you'll disable javascript. Good fast fix for now, later you'll want sandbox="allow-scripts allow-forms allow-same-origin"<p>The 4th allowed value for html5 iframe sandbox is allow-top-navigation, which allows a script to do window.top.location.href = '<a href="http://google.com" rel="nofollow">http://google.com</a> and redirect someone like me.
Warning, people are posting NSFW and potentially malicious stuff in the colaborative area linked to from the post.<p>As usual, as soon as HNers are no longer on HN proper, the inner troll comes out.
This needs to override JavaScript commands to keep it from malicious use. For example, to override alert() do this:<p><pre><code> (function()
{
var proxied = window.alert;
window.alert = function()
{
// replacement code here
// call original function:
proxied.apply(this, arguments);
};
})();</code></pre>
It would probably be a huge security risk just to visit the demo page if people weren't constantly pasting over each other with "MY PENIS" in HTML/CSS/JS<p>edit2- No proof of any security risks, not like I tried any
I would recommend doing something about the demo page. It is going to give people a bad first impression of the tool even if it is awesome.<p>Maybe either turn off collaboration (which would greatly detract from the value of the demo, I know), or limit things like linking to outside images, Javascript alerts, and more malicious things. With how often everything gets overwritten, it's not as though anyone is going to be able to do anything complex that requires any of those things anyway.
Not really a new invention - see 'etherpad-lite' (also opensource)
Just with a little work, it would do the same...<p>But nice to see how all the trolls play... Maybe this is a real good idea... A contest battelfield for trolls... (as a game)
My god, visit the site, it is a shit show, but its kinda fun<p>Some highlights:<p>window.top.location.href = '<a href="http://www.troll.com" rel="nofollow">http://www.troll.com</a>;<p>function troll() {
alert('troll');
troll();
}
troll();
Is there anything similar to this that doesn't require registration?<p>I'd love to use this for teaching HTML but I can't ask my hundreds of teenage students to all create accounts...<p>Collaborative isn't a must, anything with syntax highlighting and real-time previews will do.
Enjoy Etherpad at <a href="http://beta.etherpad.org" rel="nofollow">http://beta.etherpad.org</a> and download it at <a href="http://etherpad.org" rel="nofollow">http://etherpad.org</a> :)
Similar feature has been on Plunker (<a href="http://plnkr.co/edit/?p=streamer" rel="nofollow">http://plnkr.co/edit/?p=streamer</a>) for a while now though, perhaps, with less polish.