Escape < and > (and everything else), and check the site for XSS. I don't mean to be rude, and I realize you two coded this up in a really short amount of time -- but before this site goes live it would be best to have it secure.
[EDIT] As someone else pointed out, viewing the list-of-developers page puts up the XSS, which is even worse. I didn't know that page existed.
[EDIT2] It turns out I broke a lot more than I tried to. I also own the account 'xss' which has an unclosed '<' inside of its name, and that destroys half the page. I'm really sorry, please delete that account.
[EDIT3] I broke that account even more in order to fix it. I had an unclosed script tag, so I closed it off in my 'location'. If you fix the xss in just the profile information, then the page will get messed up again.
[EDIT4] The 'test' account was deleted, but the XSS's haven't been fixed? Updated to point to a different page I had made.
Also, you missed the login form (both in the header and on http://profile.io/login). Its echoing the username directly, e.g., "Username <script>alert(1)</script> was not found"
Upvoted because that's a valid point, but I did consider it before just doing that.
I knew the developers of the site were looking here. I knew there was nothing critical running on this site. They were asking for feedback. Given that, it is much easier to demonstrate the places where it should be fixed than to give instructions on how to recreate each attack.
My take (dannyr and I built this) -- this is like an "about.me" but for developers. You add your GitHub account, add your programming languages, etc. And (my favorite) you add all the projects you are building -- for example when you add an Android app, it automatically links to the Android Market, pulls in the app icon, etc.
This is meant for developers to have a decent place to showcase their geek. (And the domain is cool, no?)
Thanks, love you all!
Brian and Danny @ SXSW
PS: This app was built on StartBus -- the entire site was made on a moving bus from SF->Austin :)
forrst.me also has more traction, and they are both formidable competitors, so I'd love some great selling points.
What would make your service very, very interesting is to focus entirely on creating a presentable mix of a personal homepage and a resumé - GitHub, Stack Overflow, Codelesson badges(!), and such. LinkedIn isn't that interesting in many regards, and it'd be great if you found the key to a good resumé and used that to build your foundation on.
forrst.me is more of a social web discoverability tool, while flavors.me creates easy-to-make web presences.
I don't see the niche argument applying to a service that basically isn't a community; there is no in-service exchange between the users.
flavors.me has a better design and presumably offers more service hooks than profile.io.
Saying that profile.io is a niche product in the light of flavors.me just seems like PR-ish for "less appeal". :)
If it's vertical, it can't be the same as a service with a wide appeal.
From what profile.io looks like to me now, it's just flavors.me with poorer design and less traction. You can try to beat flavors.me in design (good luck with that), or you can try defining your own project and set it apart from the competition.
Information on profile.io is very scant, so I know very little about the project. I'm outlining a gap I'd like to see someone figure out and fill. I hope the project wasn't inspired by AOL's acquisition of about.me, because people in the Valley still can't wrap their brain about that. :)
You are comparing a 3-day version of Profile.io to a 2+ year-old site. We have plans that would differentiate ourselves from the other services out there but we can't build all of them in a matter of days.
It is not entirely inspired by About.me but we got some inspiration from it mainly with the design.
If you look at my previous HN submissions, Profile.io is a byproduct of my previous project - Launchset. It's just a much simpler version.
Seriously though, why the negativity? As somebody who loves to build apps, I never judge other people's app in its initial version. All ideas/apps evolve.
I have spent more than 30 minutes of my time giving you suggestions for your service and outlining challenges that lie ahead.
If the about.me and appeal remarks seemed hostile, it was because I didn't know that I was talking to one of the creators. (Like I've said before, HN need to highlight that somehow.)
If that's not positive, I honestly don't know what is. And to give you some honest advice (I know how you hate that, though), your attitude to feedback isn't going to help you succeed. Quite the contrary.
Helping people is a little like being a parent; to your children, you're a parent first, and a friend second. You may have to make some unpopular decisions, but they're in the best interest of the person.
Yeah, that's me -- I can't change my name, but if I could I would. I didn't realize there was the developer list and thought I would have an isolated test page.
Traceback (most recent call last):
File "/base/python_runtime/python_lib/versions/1/google/appengine/ext/webapp/__init__.py", line 517, in __call__
handler.post(*groups)
File "/base/data/home/apps/profileioweb/1.348935554744823342/main.py", line 60, in post
app = Application(email=self.request.get('email'),desc=self.request.get('desc'))
File "/base/python_runtime/python_lib/versions/1/google/appengine/ext/db/__init__.py", line 815, in __init__
prop.__set__(self, value)
File "/base/python_runtime/python_lib/versions/1/google/appengine/ext/db/__init__.py", line 544, in __set__
value = self.validate(value)
File "/base/python_runtime/python_lib/versions/1/google/appengine/ext/db/__init__.py", line 2437, in validate
raise BadValueError('Property %s is not multi-line' % self.name)
BadValueError: Property desc is not multi-line
Sure, I appreciate that you guys hacked this together under extremely tight conditions and I don't mean to be a dick about it. It's just that this is something which has the potential to be really bad, and depending on your framework you can usually fix this with a simple `debug = false` or similar.
this is great... But the link to the SO user profile is broken, at least for me... Methinks a SO username is not enough to construct a link to the profile
Demo: http://profile.io/foobar
[EDIT] As someone else pointed out, viewing the list-of-developers page puts up the XSS, which is even worse. I didn't know that page existed.
[EDIT2] It turns out I broke a lot more than I tried to. I also own the account 'xss' which has an unclosed '<' inside of its name, and that destroys half the page. I'm really sorry, please delete that account.
[EDIT3] I broke that account even more in order to fix it. I had an unclosed script tag, so I closed it off in my 'location'. If you fix the xss in just the profile information, then the page will get messed up again.
[EDIT4] The 'test' account was deleted, but the XSS's haven't been fixed? Updated to point to a different page I had made.