Looks like you're being hacked really bad. I got redirected to Google! It was fun to watch though! Add <iframe sandbox="allow-forms"> and you'll disable javascript. Good fast fix for now, later you'll want sandbox="allow-scripts allow-forms allow-same-origin"

The 4th allowed value for html5 iframe sandbox is allow-top-navigation, which allows a script to do window.top.location.href = 'http://google.com and redirect someone like me.

Warning, people are posting NSFW and potentially malicious stuff in the colaborative area linked to from the post.

As usual, as soon as HNers are no longer on HN proper, the inner troll comes out.

This needs to override JavaScript commands to keep it from malicious use. For example, to override alert() do this:

  (function()
  {
    var proxied = window.alert;
    window.alert = function()
    {
      // replacement code here
      // call original function:
      proxied.apply(this, arguments);
    };
  })();

You don't do security by picking specific cases and guarding against them.

Either do it properly or not at all.

When I redefined alert to return false, it crashed Chrome pretty bad (note: I am not the owner).

If someone really feels like policing it, they can delete the iframe element (in FF, chrome, or opera) and just have access to the editor panes (which means no alerts, redirects, or other nastiness). I'm sure someone can figure out how to write a javascript snippet that will post some text that has been cleaned of all instances of "window.location", "alert", and probably "while". (I would do it myself, but it's 1am here).

I put in return false; and it did nothing (using Chrome v22.0.1229.56 beta-m). You wouldn't want to return false anyways, alert is not defined as returning a value (see: https://developer.mozilla.org/en-US/docs/DOM/window.alert)

If you want to see what arguments are being passed, add a console.dir(arguments); to the code.

It would probably be a huge security risk just to visit the demo page if people weren't constantly pasting over each other with "MY PENIS" in HTML/CSS/JS

edit2- No proof of any security risks, not like I tried any

I don't recommend anyone visiting the demo page at work, it's not just the word "penis" getting spammed.

I would recommend doing something about the demo page. It is going to give people a bad first impression of the tool even if it is awesome.

Maybe either turn off collaboration (which would greatly detract from the value of the demo, I know), or limit things like linking to outside images, Javascript alerts, and more malicious things. With how often everything gets overwritten, it's not as though anyone is going to be able to do anything complex that requires any of those things anyway.

Too sad your site is beeing vandalized. Please resubmit when the trolls have moved on.

Really, Comic Sans to promote your website authoring tool, really?

You didn't get the memo? Comic Sans is ironically cool now. It was the memo with subject line: geocities is the new Tumblr.

I was reading a 2chan thread earlier today about video game related sites with absurd amounts of detailed research about the game (ROM level information, random number table information, etc), and a surprising number of them were on geocities.

Not really a new invention - see 'etherpad-lite' (also opensource) Just with a little work, it would do the same...

But nice to see how all the trolls play... Maybe this is a real good idea... A contest battelfield for trolls... (as a game)

Pass the eye bleach. I don't know what STD that was, but my god, you people...

After that it's more like PTSD.

My god, visit the site, it is a shit show, but its kinda fun

Some highlights:

window.top.location.href = 'http://www.troll.com;

function troll() { alert('troll'); troll(); } troll();

And the ascii art and canvas effects people are busting out are pretty hilarious

NSFW http://i.imgur.com/RV7na.png

I was just observing, didn't know I was stumbling on a live canvas when I clicked the link :)

I was actually testing if they had the iframes coming from a cross domain, which were so our ability to explode the thing is much smaller.

Poor are those who have no way to block alerts tho.

Random thought: Imagine if you could see comments on sites like HN being typed live (and the effects that would have on discussion).

Reminds of ICQ group chats back in the day.

  You're absolu
  You're absolutely wro     (backspaces start)
  You
  I respectfully disagree

Fun days.

EDIT: better dummy conversation

Oh man, that was a fantastic feature! That takes me back...

Essentially, Google Wave.

You mean like on google wave?

Geek trolls! The most dangerous kind! This became so hilarious I couldn't keep myself from laughing out loud in my workplace.

Is there anything similar to this that doesn't require registration?

I'd love to use this for teaching HTML but I can't ask my hundreds of teenage students to all create accounts...

Collaborative isn't a must, anything with syntax highlighting and real-time previews will do.

First of all, registering takes few seconds with twitter/github.

Secondly, it's not a must. Only you can register and share the collaboration URL with your 100s of students.

They can collaborate if they want to, or you can teach them in "Teacher Mode" - registration is not a must!

Hope that clarifies your doubts :)

Plunker has existed for a while now: http://plnkr.co and has its own little micro community. The editor (with real-time collaboration too) is at http://plnkr.co/edit/

Enjoy Etherpad at http://beta.etherpad.org and download it at http://etherpad.org :)

Similar feature has been on Plunker (http://plnkr.co/edit/?p=streamer) for a while now though, perhaps, with less polish.

WARNING... currently NSFW

Warning: graphic/gore images (not to mention irritating JavaScript alerts, etc) on the demo page. I would highly recommend avoiding it.

I think I'll do HTML/CSS/JS sessions (classes?) on this platform. If you wanna get in touch email me hello[at]cssdeck.com :)

Just like http://dump.fm only for hackers! Could be pretty awesome!!!

Really nice; I think it will be great for collaborations although the troll environment was quite hectic.

Awesome and creative but how is it useful???...people already going crazy out there..

If you actually create your own item and share with friends over the internet, there won't be such trolls available then. :P

It's an absolute shame what's happening on your demo right now. This is bad.

WOW, that is tremendously effed.

This is Internet gold.

When you comment on a story, ask yourself this question: does my comment add value to the thread? If the answer isn't a definite "yes", consider modifying it until it does, or scrap it all together. It'll help keep the value of the conversation high.