Since you can insert arbitrary JS, it feels like you could write a loop that ajax posts a bunch of new webspaces when someone visits a webspace. Might look into protecting againt that.

Just for now. Later after the beta (which is nearly finished) no extern stuff will work, just the basics. But you’re absolutely correct!

src and href are now forbidden tags. should be filter out the most crap.

The site doesn't seem to work, says "Wrong secret word" for hackernews.

Is there a list of pages people have made?

So with out src & href you can't have links, seem like a massive limitation. Was trying to a submit a personal site with external links, guess it's no use now.

There's srcset, and things like generating content with JS, inline css base64 images (background: url(data:...), and lots of other loopholes. The author is going to re-live a lockdown path many others have gone through ;)

The prob is, when you allow clickable links, you cant count the spam sites or with evil code.

Filter for username and text is online, thanks to the users! hackernews is the secret word again. :)

Is it working? I've got my code ready:)

  <style>#b{--s:12vmin;--w:100vmin;--h:calc(var(--w) / 2);position:relative;width:var(--w);height:var(--w);margin:auto;animation:spin 4s linear infinite;transform-origin:center}@keyframes spin{100%{transform:rotate(360deg)}}#b b{font:var(--s) monospace;height:var(--h);position:absolute;width:var(--s);left:calc(var(--h) - var(--s)/ 2);top:0;transform-origin:bottom center}</style><div id=b><script>for(i in s="because circular reasoning works ",s)b.innerHTML+=`<b style="transform:rotate(${360*i/s.length}deg)">${s[i]}`</script>

would be work.