Sometime in the last week or two, Facebook “updated” their Notes application.¹ I went to paste in some text that I had already written, and it stripped out the headlines and paragraphs; the whole thing looked like one big mass of text.

What’s worse for me is that they retroactively updated part of the change: while headlines have been maintained in older notes, the paragraphs in my previous notes have been compacted in the same manner.

At first I thought they had disabled all of the HTML that they used to allow; but a search on their help pages indicated that they thought <h2> was still allowed.

So I looked at it a little closer. If I type <h2> into a note, it’s fine. It’s only on pasting the exact same text that the headlines get stripped. And I can go line by line through the now-compacted Notes text and put empty lines between each “paragraph”, and it holds, unlike pasting with extra lines. This is a lot more tedious than copy/paste.

They seem to be using a different mechanism for filtering typed text as they do for filtering pasted text. Besides being user-unfriendly (pasting text should never be different than retyping the same text) it’s guaranteed to generate interesting bugs, as one part of the code is updated (say, for typing), and another part is forgotten (paste, or vice versa).

If it had just been that, however, I wouldn’t be writing about it now. I don’t care about Facebook Notes, and can easily stop using them. Blogging, however, is harder to shake. This morning, a new Palin note came up on Memeorandum. I followed it, and got this message:

“Your changes have been saved.” Between the title and the text of someone else’s note?

My first thought was that this was just a poorly-placed legitimate message, and that somehow they’d not given me the message last night when I was testing the new Notes system. It wasn’t until I went to paste the URL into this post that I noticed, there’s a “saved” option in the URL on Memeorandum. I clicked on the link again… and got the same message.

I googled for a random Facebook note, visited it, added &saved to the URL, and got the message again. So that’s all you have to do to generate “your changes have been saved”. Presumably (I hope) it doesn’t generate any actual saving.

Memeorandum somehow harvested the URL with “?saved” in it. It’s all automated—there’s no way for Memeorandum to know what parts of the URL shouldn’t be kept. Facebook should know.

Facebook’s users shouldn’t have to know, either. You shouldn’t have to carefully prune options from a URL, guessing which ones are necessary and which aren’t.

But beyond that, it’s a bad idea to use URLs for message passing, because you’ll have a natural tendency to bypass the security that (hopefully) blocks actually performing the change you’re passing a message about.

Look, potential employer! I work for Facebook.

Hacks today aren’t just about breaking into computers. They’re social as much as technical. Being able to generate messages at will is a security issue.