Aquarionics

Thursday 28th March 2002

AntiJavascript

gilmae mentioned this in a comment, and I give examples of why I'm stripping things from comments in comments, It Doesn't Work. So here it is, The Problem With HTML.

First, some more basic problems. Aquarionics, being Neat, Cool, and generally Compliant, uses CSS for layout. It consists of various sections, set out in the code as <div> (DIVision) tags. This, for example, is in #content, which is slightly overlapping #header which contains the sweeping-curve logo. To the right is #cool containing Neatothings from the rest of the site. If I allowed all HTML in comments, someone could put in a few <div> tags and completely ruin the layout and readability of the site. Bad.

The same problem applies for Table-based designs with </td> tags. Those can really ruin someone's day. So, HTML Bad.

PHP has a nice function called striptags(), which strips all HTML tags from a post except the ones you specify. "So don't specify <script>" is the wise call, but it's not that easy, because Javascript can be inside any normal tag. For example, I could have something in italics like this:

<em onMouseOver="window.alert('Hah! You Lose!')">Go on. Touch me. I dare you, I double-dare you. I double plus infinity dare you</em>
Go on. Touch me. I dare you, I double-dare you. I double plus infinity dare you
Which isn't exactly the end of the world, but it could be worse. I mean, it *could* be...
<em onMouseOver="document.location='http://www.goat.cx'">Go on. Touch me. I dare you, I double-dare you. I double plus infinity dare you</em>
Go on. Touch me. I dare you, I double-dare you. I double plus infinity dare you
Or worse...
<em onLoad="document.location='http://www.goat.cx'">Go on. Touch me. I dare you, I double-dare you. I double plus infinity dare you</em>

(No, I'm not putting that code in :-)
And those codes will not get stripped out. The latest version of striptags() cuts out all "alert" type Javascript, but doesn't recognise the more simple kind that changes an innocent variable. Like the document.location. So no HTML.

Those who spoke on this:

gravatar image

beaneater:

2002-05-30 23:00 9 wks after the Original Article

You do know that www.goat.cx isn’t the site to which you mean to refer, right?

Comment Link Reply to beaneater

gravatar image

Aquarion:

2002-05-30 23:00 0 secs after beaneater

Yes, I do. HTH, HAND :-)

Comment Link Reply to Aquarion

gravatar image

Digit:

2003-01-31 08:19 44 wks after the Original Article

What’s the payout when I roll over your:
"Go on. Touch me. I dare you, I double-dare you. I double plus infinity dare you"
and nothing happens?

Some of us use smart browsers ;-)

Comment Link Reply to Digit

Nicholas 'Aquarion' Avenell is a web developer in London, you can find out more about him or how to get in touch.

There are more Articles, Projects, Journal Entries, Photographs and things that defy description here, too.

If you're looking for something specific, there are Calendar & Category -based lists of everything.

And if you want to follow stuff that appears here, try a Syndication Feed, or the generic Feed of everything.

Aquarion's last Twitter was: [updating]
Twitter last updated

More Articles:

[RSS Icon]
[ESF Icon]
[CDF Icon]

That which is relevant:


Explain Ads
© 2000 to 2008 inclusive Nicholas Avenell
All comments are the property of their creators, published with permission
(Unless otherwise indicated, the opinions and sentiments expressed on this site are those of the author and not of any organisation of which he is an affiliate, including his employer. Caveat Lector, E&OE. sigh)
0.777 seconds, 10 queries, 2.65Mb on Thu, 02 Oct 2008 12:16:14 +0000
Generated by Epistula Version 2.0.3