Add site-agnostic pob://code/ scheme for inline build imports

[AiSatan]

Fixes #9814.

Description of the problem being solved:

Every pob:// route today requires the build to live on a third-party paste site (pobb.in, maxroll, etc). Tools and scripts that already hold a build code locally have to upload it before they can offer a one-click "Open in PoB" link, which adds an external dependency, an HTTP roundtrip, and it seems unfair to me in general.

Steps taken to verify a working solution:

• simple HTTP page with the <a id="link" class="open" href="pob://code/some-build-code">name</a>

Link to a build that showcases this PR:

Before screenshot:

After screenshot:

[Wires77]

What's the use case for something like this? People don't share codes directly because they're long and ugly, and often get mangled by markdown.

[AiSatan]

What's the use case for something like this? People don't share codes directly because they're long and ugly, and often get mangled by markdown.

To skip upload to a third-party paste site (pobb.in, maxroll, etc) and wire the button on your own site directly to the code you have, instead of pobbin or others.

it's not for people to share the code, it's to skip that and open the PoB directly.

pobbin (maxroll, etc) has this format for it:

<a ... href="pob://pobbin/pwQbRLh8HQrE" ...etc... >Open</a

poeninja has different format:

<a ... href="pob://poeninja/overview/code?account=Name-7777&amp;name=userName" ... 

I think it's more fair to remove dependency on that hardcoded white-list, and allow generic "code" which accepts existing base64 string, so anyone can use it.

[LocalIdentity]

@AiSatan why would someone be running there own site? If you're using it for AI purposes then you're free to just keep this fearture for your own fork
This will also cause issues on windwos and linux when you hit the terminal character limit

[AiSatan]

@LocalIdentity

I'm not sure if there is some missunderstanding what this does or something?

I'm on Linux.

I'm not sure where you got the AI reference from?
Is my nickname an issue?
I have it since 2008, it has nothing to do with the modern AI, it means my old clan "Aidolon" and again, this is not related to my commit at all. This is just upseting tbh.

Not sure what is confusing in this commit.
If you are making your own website for custom builds for example, a.k.a poe.ninja, and want to add a button which let's users to open a build in the PoB directly, like pobbin.does:

This button.
You can't do it, cause it requires you to upload your build to the pobbin and get the code. I do not know how to explain this cleaner, please ask what is unclear on this.

[AiSatan]

to just keep this fearture for your own fork

It's not for me, it's for end user.

[LocalIdentity]

We are not interested in allowing any site to auto-open links. It's a security issue and also prevents poor quality sites from popping up

If a site needs it an offers a quality improvement for the PoE user base then we are open to consider adding it

[AiSatan]

it's not auto-opening links, pobbin has it, are we talking about the same thing?

If a base64 string is a security issue atm, it's should be addressed in PoB codebase.

This has clear (and covered with tests with your code base format for --pass/--fail with description) regex for base64 string.

also prevents poor quality sites from popping up

This kinda gatekeeping/reddit mod vibe here. This whole interaction very strange to me.

[Wires77]

The reason we have a whitelist is so websites that promote RMT or other unsavory behavior can't have the same level of functionality and apparent legitimacy as well-known build sites that the community trusts. We're open to adding more sites as they gain traction in the community, but no one has done that/needed to do that in a long time. If you make such a site and want to integrate it with PoB, feel free to open a new PR and we can review it at that time.

[AiSatan]

@Wires77

I'm very confused rn. At this point you said:

• This is AI
• This is security issue
• To prevents poor quality
• This is RMT

You do realise that any site at this moment can simply upload the build to the pobbin and make a button with href to pob://pobbin/code and nothign changes for them?

This allows a website to cut the middle man and give original pob/raw base64/xml directly without a proxy

[Wires77]

To be clear, @LocalIdentity and I are different people 😄

A site could do that, true, but that would be a clear indicator that the website is at least a bit unscrupulous in how it approaches interactions with PoB and the build code ecosystem. As a dev team we trust and interact regularly with the developers of the sites in the whitelist (admittedly not true for legacy pastebin clones, however) so we can respond to and fix issues if any crop up.

I've always been cautious about how PoB interacts with websites that aren't pathofexile.com, and this is no exception. This would suddenly change that stance to interacting with every website without oversight.

[AiSatan]

@LocalIdentity @Wires77
I'm not sure then if I should tag both then, but based on how dismissive this interaction was, I do not see a point. Calling one line regex change "AI" is.. Wow.

I've always been cautious about how PoB interacts with websites that aren't pathofexile.com

Exactly, this is why I think that removing this dependency on a third party web site MUST be implemented. This white-listed gatekeeping is crazy to me.

If you make such a site

I'm not a web developer. And looking at this, I won't be back here, this is, again, just wow.

[AiSatan]

The code atm litteraly trusts to whatever the pobin and others return, which is very unsafe imho.
The recent supply chain attacks on nodejs just confirm that trusting external web sites is very stupid.