Xaquseg 515 followers

Xaquseg is the system administrator for FIMFiction, as well as various misc. development, especially related to security. Non-technical problems are probably best asked to other staff members.

News Archive

  • 17 weeks
    Recent Changelog

    We've done various unannounced changes of the past few weeks so I thought I'd group up the things we've done so you guys know what's changed.

    • Added account linking page for Patreon / Twitter
    • Added ability to cross post stories, blogs and bookshelf additions to Twitter
    • Added twitter userpage module
    • Added account deletion page
    • Reorganised user toolbar dropdown to better fit more items
    • Added session management page to see logins and active sessions on your account
    • Added new articles system and moved some existing ones into it
    • Redesigned PM page a bit to be cleaner
    • Increased font size in major places across the site to improve readability
    • New cookie consent controls for EU users and updated privacy policy
    • Recommended groups list on groups page - WIP
    • Tooltips in many locations around the site with helpful tips

    Read More

    114 comments · 3,621 views
  • 17 weeks
    Help Articles

    Something I've worked on the last couple of days is adding the ability for us to add arbitrary "articles" to the site which we can use for various things. Sort of an extension on the manual articles we've added in the past like the bbcode page, writing guide, etc.

    So far I've added 3 guides:

    I'd love to know if you guys have any idea for articles that would have helped you out when starting out or anything else that comes to mind.

    65 comments · 2,995 views
  • 45 weeks
    Night Mode

    I've been working on it for ages but only really got the impetus to finish all of it off over the last few days. In the "settings" dropdown at the top on desktop, or the bottom of the slide out bar on mobile you'll find a toggle for night mode. Enjoy!

    Oh, and although I've tried to cover everything there is a 100% chance I've missed styling some things so apologies in advance for any funky pages.

    245 comments · 4,449 views
  • 46 weeks
    Additional Search Update

    Hey folks,

    Over the last few days I've added a few things to the new search system. A lot of people were unhappy with not being able to filter various things as quickly as they used to be able to. To that end, I've added a little filter dropdown to the right of the search box which effectively contains everything the old sidebar used to. It even has some niceties like quick word count filters and a highly rated filter.

    Read More

    132 comments · 3,436 views
  • 46 weeks
    December 2017 Update

    Hey guys, got a whole bunch of updates for you today.


    This is a small but important step on our way to the tagging system I envision. The existing way we handled things like characters and genres has all been merged into a single tagging system. That won't result in much difference for you viewing and using the site but it makes it a lot easier to add new tags especially.

    We now have a couple of new tag types: series and warnings.

    The series tag is for identifying what series (franchise) your fanfiction contains. I've added a whole ton of various TV shows, movies, comics, books and games but clearly we will have to add a ton more in the coming future. Stories must also contain one of the four MLP tags which are FIM, EqG, Movie and Comic, as this is a pony fanfic site after all. Feel free to bug me on Discord if you have a requirement for a series to be added.

    Read More

    630 comments · 12,229 views
  • 47 weeks
    Math BBCode tag

    I've added [math] and [mathblock] BBCode tags, which can be used to display formatted math. We've had a few requests for this, particularly for group forum threads and blog posts. Most math-related TeX syntax is supported. (We are currently using MathJax to handle the layout.)

    The documentation from the BBCode guide is repeated below for your convenience.

    Read More

    84 comments · 2,977 views
  • 70 weeks
    Fimfiction API

    If you're not a developer you can probably ignore this post.

    It's been like 6 years, but hey, things take time. The API is currently very WIP still but it's ready for people to get working on in our development chat room.

    API documentation can be found at https://www.fimfiction.net/developers/api/v2/docs and you should join the Discord Chat and PM me to add you to the private API channel and I can help you get started. The functionality is very limited right now but I'm dedicating all my time to it at the moment and would love to have people add their input to the process.

    60 comments · 5,777 views
  • 74 weeks
    New BBCode Tags

    Hey guys,

    One of the features in this new update was reader-side paragraph formatting. This helps improve consistency for readers across the site, especially for those of us who can’t stand reading indented text on a computer screen.

    However, one thing that wasn’t accounted for was the legitimate need for specific indenting of passages and for certain blocks of text to have no paragraph formatting. Some examples would be lyrics and poetry.

    Taking this into account, we have come up with a couple of new tags that remedy this situation which are documented below (copied directly from the bbcode guide)

    [indent] Indent

    The indent tag can be used to, unsurprisingly, indent portions of your text.

    [indent]The indent tag can be used to, unsurprisingly, indent portions of your text.[/indent]

    It also support levels of indenting

    Read More

    168 comments · 5,334 views
  • 75 weeks
    Fimfiction 4.0

    It’s been a very very long time coming, but we’ve finally updated the site again. this is by far the biggest update we have ever done. There is a cavalcade of new features but the biggest changes are under the hood and affect how easy it is to extend the site and performance. A change log of everything I can remember can be found below.

    There are bound to be unforeseen bugs. If you come across anything major please let us know in the comments (or preferably in the #site-help-and-dev discord channel).

    Miscellaneous / Site Wide

    • Dropped support entirely for pre-IE11
    • Updated inline searching across the site to order much better. Eg. Typing "Ra" into the tag selector actually shows Rainbow Dash first. On shorter lists like bookshelves, we use a different algorithm that lets you type things like "ril" and it’ll prioritise a shelf called "read it Later".

    Read More

    1,363 comments · 19,850 views
  • 75 weeks

    So, emojis are now supported all over the site. Go have fun and stuff.

    oh god what have we done

    192 comments · 4,623 views

Site Update » TLS for all users · 1:31am Mar 22nd, 2017

We have implemented TLS site-wide as an unconditional redirect. (http -> https) This improves security site-wide for all users, and shouldn't have any negative effects, performance or otherwise.

Report Xaquseg · 3,776 views ·
Join our Patreon to remove these adverts!
Comments ( 90 )


More secure!

~Skeeter The Lurker

cool! I'll say that to hide the fact I have idea what this does.

And could you explain that to those of us that are not tech savvy, please? lol
Tell it like you're trying to explain it to a Neanderthal or a Marine :rainbowlaugh:

...Could someone who actually understands this explain what it means, please?

Server Administrator

Before only some users were using encryption to access the site, now all users are using encryption to access the site.

Wow, thanks for the update... I'm surprised I didn't notice the switch. :\
But that's cool. It should make things better all around, security wise. ^^

what does it mean please

So, in short: Encryption went from 'optional', to 'mandatory', correct?


This improves security site-wide for all users

4466972 i know what does that mean i'm sorry if i'm not getting it

Basically means the site has less of a chance of being taken down by illegal means.

4466962 I'll confess that I was among the some who were not using encryption access (using http instead of https), mostly out of a habit of leaving a bunch of tabs open and not wanting to go through the effort of re-finding all of them under the encrypted version of the site.

But now I've just noticed that every time I try to go an http page, it automatically redirects me to the https version. In other words, all the tabs I have open can now be switched over to the encrypted version simply by refreshing the pages, so that'll make this change a lot easier for me to deal with.

4466974 oh okay thanks i needed to know thats good i guess

I'm secure in the knowledge that the level of security on this site can lay all my insecurities to rest.

Majin Syeekoh
Story Approver

I've been using HTTPS from the beginning, I'm surprised it took this long for it to be automatic.

I have no idea what the hell that means, BUT IT MAKES ME FEEL 20% SAFER!!!!


....It wasn't before?
(HTTPS Everywhere woohoo!)

4466976 Security protocol meaning initial log on between your computer and the website has an individual encryption coding put on all back and forth data. The idea being no-one can eavesdrop or tamper with it in between. Notice the url title on this page now starts with https instead of http. Mainly this is to protect your name and other private details from being taken for identity theft. So it's a good move.:pinkiehappy:

Great change.

Anyone else still unsure this is the page for Firefox explaining it in more detail for their browser but the basics should hold true for all browsers.
mixed content for Firefox

4466994 Just spotted you here, just a heads up for interest.:twilightsmile:

Nice! Thanks, site staff!

:unsuresweetie: Time for an SSL image proxy next! (He says while linking to a non-secure static file host.)

It provides reasonable protection against an actor from reading the information you're transmitting (eg, your account password), or from hijacking your connection to the website and serving you something different.

It doesn't even necessarily have to be technically malicious. For example, some wireless networks will attempt to hijack your connection in order to insert their own ads on the pages you visit. They can't do that on HTTPS.

However, HTTPS does not prevent someone from getting the IP of the website you go to, and that can be trivially matched to the website itself. So bad guys can still know you're reading horsewords, they just don't know which ones and can't steal your account info over the network.

This does not mean we can change passes to 123456 now or the what not, it just means https everywhere is not nessiceary.

When you realize that before this change somebody could potentially see what clopfics you were reading :pinkiegasp:

It didn't work. I'm still insecure.

Righto. Thanks, lads. But it does not say I am secure, unlike before.

Jolly Good.

Nice! It's always good to see better security features implemented.

Well, that explains the random crash last night.

Hrm. Firefox is claiming now that parts of the site are not secure.

Server Administrator

We do have plans to resolve the mixed content warnings caused by images over http, but those don't create very many security risks, so it's not a large enough issue to delay this change.

I've always wondered what the difference between Http and Https was

Hopefully it turns out for the better.
At least It should. It's important and nothing too major just some harmless coding updates.
That or FimFic Skynet happens.

4467119 Maybe it doesn't create too much of a security risk, but privacy...
Anyway, thanks for doing this; I couldn't tell you how many times I'd be on this site and realize I forgot to type https!

Server Administrator

It's only a privacy risk vs. not having mixed content. This change does not reduce user privacy, there's just more we can do to improve it.

Comments like those are just daring someone to launch something like a CSRF attack.

I linked to an image on lithl.info earlier. I have root on lithl.info, and I could easily reconfigure it from serving static content to serving dynamic content, then write a malicious script and have the previously linked image execute that script any time someone views the image. It helps that the image isn't actually being added to the DOM until someone clicks the URL, but that just means the malicious image won't execute on page load, and it doesn't stop a malicious image in a blog post or story chapter.

It's one thing to allow mixed content on your page. Publicly dismissing the danger of mixed content is something else entirely.

Server Administrator

<img> tags cannot execute client-side code, anything that is not an image is rejected by the browser. Additionally, images are the only resource the browser will allow a https: page to load off an http: domain.

What you are describing is the danger of cross-site resource inclusion, which is an entirely different problem. Additionally, you are describing XSS, not CSRF.

The two things you can do with the image included over http that wouldn't be possible if it was https are:
1. Observe the image being loaded if you can passively snoop on the user's internet connection, possibly identifying which page they loaded based on the URL of the image requested.
2. Replace the image with another image if you can actively modify the user's internet traffic.

I may have phrased that badly; I didn't mean to imply that you'd somehow created a privacy risk, sorry for making it sound like I was

Login or register to comment
Join our Patreon to remove these adverts!