Using ES6 in the KA webpage environment is obviously desirable. And unlike the Processing.JS environment, it’s quite feasible.

For detail on how and why KA parses your HTML, see this post, which seeks to answer how to disable Slowparse for large swaths of HTML.

The trick

If, however, you merely want to disable KA’s parsing of your Javascript, you can put your Javascript inside a script tag with the type set to application/javascript.

Unfortunately, because KA doesn’t completely clear the window before re-running code, you can’t use const or let.

This technique also has the benefit/risk of bypassing KA’s infinite loop protection.

How it works

Slowparse tries to follow the HTML spec as closely as possible, so it ignores script blocks that don’t have a script type set to text/javascript (or unset of course). Browsers, on the other hand, will run code with a script that is any of the valid MIME types (or unset, or an empty string).

Example

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title>Example</title>
</head>
<body>
    <script type="application/javascript">
        // `var` because `let` and `const` still don't work  
        var test = () => {
            console.log("Hello");
        }
        test();
    </script>
</body>
</html>

1. Legolas posted an article to the community help center. In summary, it called for
   • More transparency after Guardian actions (e.g. messaging banned people why they were banned)
   • More consistency around Guardian action
   • More appropriate disciplinary actions following breaking the rules (e.g. not hiding all programs after discussion infringements)
2. I posted a follow-up comment. It included:
   • A comment on the length of time over which KA has had issues with moderation
   • An appeal for the most highly voted program on KA to be restored
   • A list of prominent community members who had been banned. Here is that list:
     • HFM4
     • TJ
     • Light Runner
     • Gamechief999
     • The #1 Base 12 Proponent
     • Jett Burns
     • Loki
     • Thomas Li
     • Prometheus
     • Matthias
     • Isaac Emerald
     • Green Ghost
     • BB-8 (Squishy Caterpillar)

     To disclaim: I am not commenting on the fairness of these bans.

3. Legolas’s comment and my comment were edited to remove information about people’s bans.
   • Apparently moderators in the Help Center can edit comments
   • The original comments I saved here.
   • Legolas’s comment was edited to remove any reference to #1 Base 12 Proponent and Isaac Emerald.
   • The list of users, as well as the reference to UTD were removed from my comment
   • Faile Lundberg, the Community Liaison, commented. Some excerpts:
     • “Several posts…mention specific users…in connection with banning actions,…which violates our Community Guidelines”
     • “We’re actively considering how we can incorporate your feedback.”
     • “a link to information about our Ban Appeal form,”
4. I was banned from Khan Academy, and all programs over 30 votes were hidden. (~5:30 PM EDT)
   • Terra Magma was removed from the top-list
   • I did not receive a guardian message or any communication indicating why this would be
5. Photonic Symmetry posted a comment pointing the irony of banning me while we attempted to discuss unfair bans

6. Faile Lundberg reached out to me, both on Zendesk and with a Guardian message to clarify the reason for my ban. (8:39 PM EDT)

   I worked with our Guardians to look at what prompted the recent ban on your account, and it looks like it was due to a link in the comments of one of your programs that advertised off-site content (it was removed by moderation yesterday).

   This was a minor offense and you haven’t had any interactions with the Guardians in a year, so I don’t think a ban was warranted, and we’ve reversed it.

   • I had indeed posted some comments with offsite links that showed up on the first page of my discussion history, and that is indeed in violation of KA’s rules
   • However, it is difficult to believe that it is a coincidence that this wasn’t an issue until now, and is now ban worthy.
   • Faile Lundberg did indeed un-ban me, and unhid all my programs.
     • This is possibly the first time KA has unbanned and unhid a user’s programs, proving that it is possible
     • Most of my programs are now marked as Guardian approved, which is interesting
   • I, of course, thanked her, and mentioned that there were many KA users in a very similar position to me who had not been banned
7. Faile Lundberg posted another comment on the main thread, stating that “I’ll be bringing the concerns you’ve raised…to the team”

And we waited.

A couple days ago, October 12th, Faile Lundberg commented again on the thread, posting their resolution. In short, it was a commitment to better train Guardians to moderate and communicate more clearly and consistently. Additionally, she mentions that guardian applications have been re-opened.

Concerns were raised. Legolas in particular describes the community’s feelings well, when he says,

I think my first two points were addressed quite well.

However, I was wondering if the team happens to have any response about my third point, which is assigning more appropriate disciplinary actions to bans

How KA further responds or implements what they’ve promised, remains to be seen.

Legolas’s Original Post

Hey there, Many of the older members of the KA computing platform know who I am, but some of the more recent additions to the community may be less aware of who I am so I’ll give a quick introduction to give a bit of credibility to this post. I’ve been an active member of the KA community for five years now. I used the math section through high school, I used the SAT prep to prepare for college entry, and throughout it all I was a programmer in the KA computer programming community. I was one of the people who created graphics and programs that newer people looked up to, and over the years I collected a large following of supporters of the KACP area. Two or three years ago I also became a support advocate and helped out here on the help center when I could. Now I’m a junior in college. While I’m not as active as I wish I could be, I make programs every now and then and have kept up a daily streak of more than 1300 days. I also am the owner of the largest Discord server dedicated to KA with hundreds of members joined. All that goes to say, I would say I’m an experienced, mature user of the community who has contributed and received significantly from the site. I really appreciate what KA has given me and I’d like to give back in any way I can. Which leads me to this post. As I became more and more involved with KA, especially when I started the Discord server two years ago, I began to hear stories from members of the community regarding the guardians on the site. Personally, I really appreciate the force of Guardians. It takes a lot of dedication to moderate a website at all, not to mention one filled with younger people. Throughout all the shared experiences and personal observations I’ve come up with a list of changes that I believe are necessary for the Guardian system. The Guardians are intended to be a group of moderators enforcing the rules to keep everyone safe. This includes child-accounting underage users, banning users engaging in inappropriate activities, and moderating chatting like tips and thanks and questions. Obviously, that’s a great thing. It’s important to have a group of people behind the scenes helping to do this. It’s beneficial to KA as well to recruit volunteers to perform these tasks. And KA has measures taken to ensure that Guardians who are hired are indeed working to make Khan Academy a better place. But at the end of the day, there are issues with the Guardian system. What I’ve pondered and discussed for months are three simple problems which have simple solutions. I’ll go into more detail about these problems below the bullet points.

• Guardians need more transparency
• Guardians need more consistency
• Guardians need more appropriate disciplinary actions

1. Guardians need more transparency

The Guardian position is all about making sure users are following the Guidelines. For example, if a Guardian finds evidence that a user is underage then the user is child-accounted. However, the Guardians have the ability to perform actions like these without the user even knowing what happened. There is the ability for a Guardian to send a special “Guardian message” but there is no way to respond to the message if the user is confused or has questions about what the message is about. I believe that the Guardian system should be much more transparent. Every time a significant action (Ban, child-account, etc) happens, a Guardian message should be mandatory. I’m not aware of a place where there are records of Guardian actions on accounts, but if there is no recording system there should be one to hold Guardians accountable. In addition, there should be a contact within the Guardian message for the user to be able to contact either the Guardian or a Help Center representative for more clarification regarding the Guardian message. With the current system, abuse of power is very possible, and according to some accounts I have heard, it may already exist.

2. Guardians need more consistency

Disciplinary actions are necessary according to the nature of Khan Academy. It’s important to not only incorporate more transparency but also more consistency regarding the actions taken on users. From many accounts I’ve heard over the years, the Guardian system is inappropriately inconsistent with discipline, especially regarding bans and warnings. I’ve heard of some users given warning after warning without further consequences, while others are banned for minor infractions. If there was more transparency regarding these actions, I believe the problem of inconsistent discipline would be solved. Ideally, reasons for each action would be recorded along with any communication regarding the action. Therefore, consistency would be encouraged as a secondary consequence of transparency.

3. Guardians need more appropriate disciplinary actions

I think there are two common actions which Guardians do that are excluded from this point: Discussion edits and child-accounting. For obvious reasons these are not really actions that can be inappropriately used. On the other hand, banning is an action that can be and has been used in ways far exceeding the “crime.”

Since this is one of the most important points I will include several examples of how banning has been inappropriately used to discipline users.

Banning is considered the ultimate punishment besides actually deleting a user’s account. As far as I know, there are multiple levels of a ban that last varying amounts of time. During a ban, the user’s discussion ability is removed, and projects above a certain vote limit are hidden.

That might sound fine, but at the end of the day, it really isn’t.

Several years ago, a user called the #1 Base 12 Proponent (#1B12) was banned. As it says in his current bio, #1B12 wasn’t exactly the most polite user. He was known for making some harsh comments before his ban. However, there is another factor in the mix. #1B12 was also the creator of the top program in the whole KACP community with ten thousand votes, and multiple more projects with thousands of votes. When he was banned, these projects were hidden, permanently. Some of these projects were the core programs in the community, inspiring, entertaining, and educating literally thousands of students.

Isaac Emerald was also a popular programmer who contributed many, many programs as well. Most of them had hundreds or thousands of votes. For years, Isaac Emerald was one of the most inspiring programmers contributing some of KA’s best projects. Hundreds and hundreds of users learned from his code. However, Isaac released a project with religious hints over the summer. The project was hidden, and Isaac spoke up. He was promptly banned, with all of his projects hidden.

#1 Base 12 Proponent and Isaac Emerald were both well known programmers who made mistakes that may have warranted disciplinary action. But did their relatively minor crimes deserve the destruction of literal years of work and dedication? After their bans, both of the promising programmers went inactive, never to return. And they are only two users out of many who have had projects hidden and work lost from view forever.

Bans should only apply to discussion privileges. Inappropriate projects should be hidden of course, but discussion-based breaking of the guidelines should be corrected by removing those privileges.

Khan Academy is intended to nurture users and help them grow in their skills in whatever subject they are learning. How does hiding years of work help one learn anything except that one can be punished severely for a minor infraction?

None of my above points were made with a grievance towards Khan Academy. For years I’ve been a mature user and haven’t been affected at all by how the Guardians are moderating the site. My points for how KA needs improving come from a sense of wishing the site to be better.

Thanks for reading,

Legolas Greenleaf

Support Advocate and KA User

My Original Post

I agree wholeheartedly with Legolas. I want to emphasize the scope of this issue.

1. This has been going on for years. I first criticized the lack of transparency from guardian actions in Jun 2016, when Light Runner was banned for the first time, and many discussions of his ban were removed, all for unstated reasons. This issue has only gotten worse, in part as KA has moved from volunteers to contracted moderators. This shift has negatively effected the KA CP section, if not the site as a whole.
2. The sheer number of prominent community users who have been banned. To be clear, these bans are in some cases warranted, but in all cases there is no official reason given. I do not wish for these users to be unbanned necessarily, merely that KA would unhide some programs, and show more discretion going forward. My informal list of users that I knew that have been banned:
   • HFM4
   • Light Runner
   • Gamechief999
   • The #1 Base 12 Proponent
   • TJ
   • Jett Burns
   • Loki
   • Thomas Li
   • Prometheus
   • Matthias
   • Isaac Emerald
   • Green Ghost
   • BB-8 (Squishy Caterpillar)

Again, many of these users deserved to be banned, or have been unbanned. But they had a magnitude of popularity on Khan such that I think their programs should be restored and the reasons for their bans disclosed.

In particular, I would like Ultimate Tower Defense, which is currently the most voted program on Khan, to be restored. It would be a shame if it was passed in votes because its creator was rude. Not to mention the fact that it has been years since it was hidden.

Thank you, for recognizing the importance of communication in education,

Matthias

KA Computer Science Volunteer

KA has patched out this behavior, by adding a check to the type of data that you are uploading.

Attempting to upload data of a different type, yeilds a 400 error with the following message:

Bad data supplied: Image must be png or gif format

Uploading animated GIFs still works, and this language implies that this behavior is intential.

(They are not verifying that the image data is valid, merely that it is an image. Uploading an invalid/corrupted PNG with an intact header is allowed. The file type that you send e.g. “data:image/png;base64,” is ignored, only the base64 data is used.)

Thomas Li, the inspiration for this technique, was able to continue to load arbitrary audio less-directly, by storing it in the code of another program. Example (probably hidden by now).

It is a Python 3 script, requiring no dependencies. This is only useful to you if you know how to run Python code from a command line.

It also requires you to extract the full cookie string from Khan Academy. document.cookie doesn’t include HttpOnly cookies like KAID, which are important. I recommend finding a request in the network tab of the browser debug tools, and copying the text of the Cookie header.

It will look for a file titled image.png or image.gif in the same directory.

It will look for a cookie.txt file to extract cookies from, and will prompt you to paste a cookie at the command line if it doesn’t exist.

It will prompt for the ID of the program on which to perform the hack.

#!/usr/bin/env python3

### Copyright Matthias Saihttam 2020
### The following script is provided with no warranty, express or implied. It may break at any time, and I do not provide support for it.

import urllib.request
import json
import base64
import getopt, sys

opts, args = getopt.getopt(sys.argv[1:], "", ["debug"])
try:
    debug = opts[0][0] == "--debug"
    if debug:
        print("debug on")
except IndexError:
    debug = False

# Load an image
try:
    with open("image.png", "rb") as f:
        b64_string = base64.b64encode(f.read()).decode('utf-8')
        image_type = "image/png" # This is ignored by KA, but I set it to be nice.
except IOError:
    with open("image.gif", "rb") as f:
        b64_string = base64.b64encode(f.read()).decode('utf-8')
        image_type = "image/gif"

try:
    with open("cookie.txt") as f:
        cookie_str = f.read()
except IOError:
    print("Cookie string for the author of the program: ")
    cookie_str = input("")

cookie_data = dict([[m.strip() for m in e.split("=", 1)] for e in cookie_str.split(";")])
if debug:
    print(cookie_data)

# Prompt for program ID
program_id = input("Program id? ")

# Look up the program
req = urllib.request.Request(f"https://www.khanacademy.org/api/internal/scratchpads/{program_id}",  method="GET", headers={
    "X-KA-FKEY": cookie_data["fkey"],
    "Cookie": cookie_str
})

with urllib.request.urlopen(req) as response:
    program_data = json.loads(response.read())

if debug:
    print(image_type)

# Upload the image
request_data = {
    "title": program_data["title"],
    "revision": {
        "code": program_data["revision"]["code"],
        "image_url": f"data:{image_type};base64,{b64_string}"
    }
}
headers = {
    "X-KA-FKEY": cookie_data["fkey"],
    "Cookie": cookie_str,
    "Content-Type": "application/json"
}

req = urllib.request.Request(
    f"https://www.khanacademy.org/api/internal/scratchpads/{program_id}",
    method="PUT",
    headers=headers,
    data=json.dumps(request_data).encode("utf-8")
)
try:
    with urllib.request.urlopen(req) as res:
        res_text = res.read()
        if res.status == 200:
            print("Success! Screenshot has been uploaded. It's located at:")
            print(json.loads(res_text)["imageUrl"])
        if debug:
            print(res.status)
            print(json.dumps(json.loads(res_text), indent=4))
            print(res.info())
except urllib.error.HTTPError as e:
    print("Uploading failed!")
    print(e.read())
    if debug:
        print(e.code)
        print(e.info())

Following a Hacker1 report I made in February of 2019 which mentioned this issue, KA has notified me that it has now been fixed. And indeed in my test I was met with a 401 Unauthorized error when attempting to comment while logged to a child account.

It’s good to see that KA is taking the time to fix backend API issues in the move to graphQL.

1. Improve on KA’s community management. At least 3 of the 8 current Challenge Council members have been banned from the website at some point. KA continues to tighten moderation and stifle conversation, recently by disallowing links.
2. Improve on the live editor. The live editor has not received new features or even bug fixes in years. Processing.js is archived. It’s very difficult to write a large-scale game or modern ES6 Javascript. OurJSEditor has native editor settings, support for ES6, and is flexible, allowing anything from Markdown to P5.js.
3. Improve on KA’s website. OurJSEditor is designed to be lightweight, with the home page loading 34kb, compared to KA’s 1,200kb (113kb vs. 7,676kb total). And it’s entirely open source.
4. Other countless features, like the ability to subscribe to a user natively. And as OJSE is in active development, it will only get better.

OurJSEditor was originally founded Feb. 13th, 2017, after Khan Academy shut down the live editor to community contributions, and rudely closed all open pull requests. A small group of KA members bet that we could make a website that matched KA’s editor, using only community contributions. I took that project and ran with it, paying for server hosting costs and doing most all of the development. However, the entire website’s code remains open source (Github), and contributions will always be welcome.

If this sounds interesting to you, I encourage you to head over to OurJSEditor.com and checkout some of the cool programs people there have been making. You can make an account to vote or comment on programs you like. And then try making a program yourself.

As I step away from KA and the Challenge Council, I will be focusing instead on other projects, like launching OurJSEditor. I am not leaving the community, and will continue to use KA, maintain the KA Extension, and hopefully enter a contest or make more programs on KA.

The Challenge Council is left in capable hands, and I look forward to seeing the contest prompts for next year.

This will definitely break projects like Collingridge’s What Badge Next?, which make use of these endpoints. But what is particularly concerning is that KA has not provided another official API or documentation for an alternative—there’s no way to fix this.

Pamela updated the live-editor to remove one place where a sample program accessed the KA API to get scratchpad data. This feature is relatively unimportant (the KA Extension used it in one place), especially because it’s easy to re-add or use an older version of the live-editor if you need this functionality. However, the API endpoint used here is not a /api/v1/* endpoint, but rather an Internal API endpoint (/api/internal/...). KA doesn’t mention these endpoints being deprecated, but they also never officially supported them either. KA is in the process of making a transition towards a GraphQL API backend, and this is likely a part of that transition. However, to my knowledge, there is no way to get program data with GraphQL, and so KA can’t remove the older program endpoints without breaking the functionality of their own website. I think Pamela is being overly aggressive here by removing this internal endpoint from the live-editor.

Given the amount of energy KA has spent on updating the programming section historically, I don’t think they will move the programming section of the website to GraphQL before Jan 6th. I don’t think the internal API will be shut down soon. The best case scenario going forward is that all of these systems continue to work. Projects that interact with KA would then have to choose between the unofficial internal API, the deprecated v1 API, or the undocumented and unofficial GraphQL API.

Notable changes include:

• Moving the tabs for different profile sub-pages to the left side of the page, instead of along the top.
• Removing the “Badges” and “Projects” pages from that list.
• Renaming “Profile” to “Learner Home” under the user-name dropdown in the upper right.

The area under MY STUFF is personalized. It’s unclear how much flexibilty it has, but it appears that other tabs appear there, in addition to courses, based on your activity.

Personally, I think that this is a good aesthetic change, it looks cleaner and still includes most of the same content. By far, the concern that has been the most vocalized is that the browse projects page is no longer one-click away from all pages on your profile. It is still possible to get to your projects (or badges) page by clicking “View All” on the widget on the main profile page. I have said that the KA Extension should be able to replace those missing sidebar links.

There also appears to be a bug where the badges display case isn’t editable if you directly navigate to the profile page; only if you cause it load dynamically (e.g. switching to Projects and then back to profile). It’s also worth noting that KA appears to have added a second check for duplicate badges in your display case, patching the KA Extension’s hack. It remains to be seen if it is possible to fix.