Well, I can ban him or simply reject the run. I would prefer the latter, as it's probably as you've mentioned not done for malicious reasons. Is that okay for you?

Fixed, thanks for spotting!

Should be fixed. Sorry. Thanks for noticing!

... the fuck. Looking into it.

I deployed new code and it seems one API change slipped through my testing. I'm terribly sorry.

Very nice catch, Gyoo. Seems like we have some encoding issues. Gonna fix that hopefully later today.

The double HTML encoding in the search box has been fixed. The saving-guides option is something we'll have to take a look at.

Thanks for reporting these issues. :)

mobiusman, we can adjust session durations later. At the moment the default server config (which is out of my reach) handles expiring sessions, which leads to frequent logouts at the moment.

Using a different session backend will allow us to finetune the session timeout, but it's not on the "pressing issues" list. Thanks for your feedback though!

Thanks for noticing Klashik, this bug has indeed been introduced lately and is fixed now. I fixed the game title for you already.

Welcome back, oh dearest and most patient friends,

it took a while, but the site should now be a little bit more secure. I was focussing on the most pressing issues, trying to find a balance between reworking most of the things and making the site and its data available again.

So please, if you find security issues, do not hesitate to tell us in private. I promise, security reports will be taken seriously and we will fix them ASAP.

For now, the following things have changed:

• In most places, instead of removing a bunch of seemingly evil characters, HTML encoding is now in place. With this, we now allow for basically all characters in game/categories/variables names. Usernames are still restricted, though. This might change in the future.
• The username/password cookies are gone. If you still have those, they will be automatically removed (so to be 100% accurate: if you are reading this, your cookies are already gone). Instead, we now issue simple session cookies that will deleted when you close your browser. Yes, this means you now have to log-in more frequently. The session cookies are httponly, so it's not acessible from JavaScript (and hence safe against XSS attacks).
• Instead of MD5, passwords are now hashed using bcrypt (with a cost factor of 10). All existing hashes will be automatically upgraded to bcrypt on the first login of each user. Using bcrypt instead of MD5 dramatically improves password security in case an attacker gains access to the database.

With all that being said, there are still open issues:

• CSRF attacks are still possible. It will take time to convert all state-changing requests to POST and introduce a CSRF token. We're working on it.
• Everything is still using HTTP. I'm not aware of concrete plans to change this. Using CloudFlare's "halfass" SSL would be an option, even though I personally would much rather see a simple cert on sr.com itself.
• It's very possible that I introduced a few bugs into the site. I'm sorry, but that's the way things are. Please report them, so we can fix them.

Thanks for your patience during the outtage.

^ This post sounds like an echo of what I have been preaching in October-November '14. But then I gave up.

I was instructed in #tdawg91 to post this:

Thank you.

You learn something new every day...

And the leaderboards would remain empty because there are no mods for the game and submitted times by people would just pile up and never be verified. That would make sr.com seem dead.

The server it is hosted on underwent some substantial software updates. Nothing specific to speedrun.com, as far as I can see.

[quote]maybe its not so important, but still - here are no SEO at all. no page descriptions, no keywords, nothing for Engines to understand that this site is good.[/quote]

Just to make this one clear: Search Engines are basically ignoring meta tags nowadays. Adding them is mostly pointless for "SEO purposes" and has certainly nothing to do with being easy to find on Google.

I've implemented the auto-updating WRs based on the SRR API now. PogChamp

All GTA WRs are updated every 15 minutes. I also added IV, VCS and LCS to the command list (so !wr_lcs became available), but skipped GTA 1 & 2. Don't know why, just think nobody cares anyway :D

¤ Fix empty topics when the only posting withit in has been deleted (see my test topic in this category or every other topic with -1 posts). ¤ (maybe) do not allow editing posts in the forum forever. Maybe it's a good idea to prohibit editing after ~1 week or 24 hours or so.

¤ Resolve ambiguous URLs: What is srr.com/mario? The user mario or the game mario? Why is srr.com/pac not the game "pac", but the user pac? => Introduce small prefixes, like srr.com/u/pac, srr.com/g/gta, srr.com/s/mario ... ¤ The top menu links to "/user/SgtKabukiman", but within my profile, the links point to "/SgtKabukiman". This surely ties together with the previous point. ¤ Fix the HTML (it's not just making it pretty, it's FIXING hundreds of errors and usages of deprecated elements) ¤ Introduce sessions and proper password hashing (bcrypt/scrypt) (PHP 5.3+) ¤ Consider using a CDN to at least fetch jQuery, it not all assets. ¤ Do not strip tags for security, but rather use proper output escaping (this is subjective). ¤ (i could go on, but most of the stuff I would suggest is not features, but boilerplate stuff ;))

I was thinking about implementing an auto-detecting !wr command, but that would have several drawbacks:

• I would have to poll the Twitch API regularly. That means 1 request per channel per ... maybe 5 minutes? 10 minutes?
• The "game" info is not always correct (think if multi-game races or the streamer just forgetting changing it)
• I have to infer the category from the stream title. This might be simple for some cases (i think S. makes it pretty clear in his title, but others? Not always. And I have problems with doing language recognition ("GTA San Andreas cheat%" is what excatly? What about "GTA San Andreas (no, not 100%, but any%!)"?)

I specifically saw this "guess game from stream info" stuff in SauceBot, but decided against going down that road. It leads to all sorts of problems and misunderstandings.

Now, for the "!wr sa" command (the one where the user has to specify game and category). ¤That¤ could be done, even though I currently don't see much benefit from doing "!wr sa any" over "!wr_sa_any".

This could be a very useful thing once SRR becomes more popular and I would otherwise have to maintain a large lists of explicitly named commands (!wr_sa_any, !wr_sa_100, ...). But it opens the question, who should be able to use !wr and with what game? Do you want your chat to spam and test what possible arguments to !wr are allowed? Do you want to grant this for every game separately?

For now, I will concentrate on getting the API to feed my already existing commands. I've put the !wr stuff on the backlog though: https://trello.com/c/XA5Xlc4G/19-consider-a-generic-wr-command