This is

as days pass by, by Stuart Langridge

. Here I write about many things. In the past I wrote about other things but the past is past. I write code for people to play with, I write about my life on Twitter, and I write here.

On I wrote Cruciforum: crucially simple, on the subject of Web, Usability, Cruciforum, and Software.

Cruciforum

Cruciforum is a really simple web-based forum, designed to make it easy to add somewhere for discussion to go on to your website or a project. A Cruciforum forum is lightweight, doesn't require a database, and can be set up on your server in about two clicks of a mouse. It's the easy way to give people somewhere to chat about your project without installing something heavy and complex like PHPBB; just put the cruciforum install file in an empty folder and go to it in your web browser, and that's all you need to do. Whenever I see a small project's website I find myself wishing there was somewhere I could talk to people about it, and that's what this makes easy. Go get Cruciforum for all your discussion needs, assuming that your discussion needs aren't all that complicated!
Adriatic

Cool name!

You seem to be Dan Simmons fan (just like myself :-)

N.

Why does the name make me think someone's been reading too much JK Rowling... :)

Matt Round

The simplicity is refreshing, but releasing it without anti-spam/validation/anti-CSRF/throttling measures makes me wince a little. Anyone installing this version will be wide open to abuse.

sil

Matt: I'm not sure how CSRF applies here. Yes, I could trick your browser into posting as you to a Cruciforum from some other site, but then I could just go to the forum myself and post as you too. There are no identity guarantees. I can't think of a reason why I can't go to some forum you don't know about somewhere else and sign up as mattround, either. I can't fill in my email address as being yours, because I'll fail verification, but I can say "I'm Matt Round and my website is malevolent.com" on every weblog comment form in the land without any problem. Unless we're prepared to demand (not allow, but _demand_) something like OpenID or some trust metric, that's just the way it is. If that counts as CSRF, then Cruciforum isn't any more vulnerable than half the rest of the internet.


Anti-spam, yes, and http://www.kryogenix.org/bugs/cruciforum/spam-protection.html discusses precisely that.

Cruciforum, then. « Exploring Freedom with Matt Lee

[...] 18th, 2007 · No Comments Cruciforum - a really (really) simple forum, written inPHP. [...]

Matt Round

CSRF isn't much of an issue in this case, but it could be abused to make innocent users post on behalf of a spammer (when they visit a site set up by the spammer or a site compromised by XSS). You then wouldn't be able to usefully use IP for blacklisting, and if the spammer's site used HTTPS then there'd be no referer to block either.

Like I said, it's not a major issue though, particularly if the chosen anti-spam measures rely upon content and user interaction rather than IP/referer.

OpenCycleRoute » Blog Archive » Discuss

[...] while back I added a simple discussion forum for opencycleroute.org, based on cruciforum by Stuart [...]

cheap Ugg Monster

[removed as spam]

This website belongs to Stuart Langridge. Contact details are available. Don't eat yellow snow. Valid HTML5, at least in theory, except for the bits that aren't because I'm that futuristic that I'm ahead of the spec, oh yes. HTML5 help from Bruce Lawson, among others. Fonts from the superb FontSquirrel. End.