New Html Filter ?

July 31, 2006

Does anyone else out there have problems with their cache pages?

I had some simple JAVA code on my webpage --- which worked fine for the last few weeks.

Suddenly its been disabled. Its still in the original webpage HTML, but its beening filtered out when displayed.

Other embedded objects on my puzzle cache pages seem to have disappeared as well.

What gives?

Hey --- I just noticed, the emoticons are JAVA shouldn't they be filtered out as well?

Its all very suspicious.

--- J

1.5k · July 31, 2006

security, security, security:

profiles stripping code

8k · July 31, 2006

Looks like Geocaching.com is now stripping out any Javascript and EMBED tags that from all user input. This includes cache descriptions as well as the profile page. While this prevents the possible abuse of these features it also has the result of messing up certain cache pages. Lounging_At_Walden has several very cleaver puzzle caches that rely on either Javascript or Embed tags. Perhaps this thread on whether Geocaching.com should provide webspace for puzzles (so that the must be solvable with information from the cache page guideline can be met) applies here as well. Maybe Geocaching.Com needs to provide a way for puzzle caches to to be identified as such so that they can use Javascript or embeded Java objects. This attribute would be set by the reviewer after verifying that the code appears to only be what is needed for the puzzle. I understand that some reviewers wouldn't want this responsiblity. Since there would not be many puzzles like this, perhaps as small group of volunteers would review these caches.

July 31, 2006

I think like all things it all boils down to the mighty dollar! Lets keep them here on our site. Just like the travel bugs and coins. should you not beable to create your own? I mean really who cares if you have a small javascript that changes your mouse on your post? or a small Flash? good grief. but if they allow those then the door is wide open to other things that might affect their ability to control the users. Ah who knows why really. Just makes it a bit less interesting to me.

July 31, 2006

I think like all things it all boils down to the mighty dollar! Lets keep them here on our site. Just like the travel bugs and coins. should you not beable to create your own? I mean really who cares if you have a small javascript that changes your mouse on your post? or a small Flash? good grief. but if they allow those then the door is wide open to other things that might affect their ability to control the users. Ah who knows why really. Just makes it a bit less interesting to me.

All of my JAVA script codes and embedded objects KEEP the cacher on the geocaching site. After engaging new brilliant filtering system, in order to watch my video puzzles, you have to actually LEAVE the site. Probably a violation of the terms of service. If it is, I'll happily move my video caches to another site in protest.

If GC.com wants their users to come up with creative puzzles that push the technology or creative caches in general, they need to move forward. Otherwise, geocaching will come down to 1000s of micros hidden at McDonalds --- how original.

Puzzle wise, there is only so much you can do with a JPEG picture posted on the GC sites. It usually takes me less then a minute to solve any JPEG picture based puzzle. Not because I'm smart. Its because there are only about 7 things you can do with a JPEG image to "hide" information.

I've spent the last two weeks coming up with another video puzzle that will never see the light of day. I refuse to post it if cachers can't access it from the GC webpage. If they leave the GC website, the puzzle experience is lost.

Thanks GC for making the GeoCaching experience just a little more lame.

1.5k · July 31, 2006

I think like all things it all boils down to the mighty dollar! Lets keep them here on our site. Just like the travel bugs and coins. should you not beable to create your own? I mean really who cares if you have a small javascript that changes your mouse on your post? or a small Flash? good grief. but if they allow those then the door is wide open to other things that might affect their ability to control the users. Ah who knows why really. Just makes it a bit less interesting to me.

Actually, I think it came down to more of a security issue than a monetary one. Look at all the spyware, viruses, etc that you can pick up just by visiting the wrong website with the wrong browser. Not that anybody ever did anything malicious through a cache listing, but some clever person (named seven, or something like that) did create a sort of proof-of-concept once on their profile page. For example, if flash, java, etc weren't filtered out, it wouldn't be that hard for some creative person to create a "fake" version of the geocaching login page that collected people's passwords (phishing). From GC's perspective, it's easier to just disallow everything than to account for any vulnerabilities.

Edited July 31, 2006 by DavidMac

9.2k · July 31, 2006

Hey --- I just noticed, the emoticons are JAVA shouldn't they be filtered out as well?

Its all very suspicious.

No, they're not java. And they're not javascript (which is probably what you meant). They're just codes that get translated into image URLs on the server side.

9.4k · July 31, 2006

The security issue is the biggest reason, but there's also "Bad coder syndrome" that occurs when people drop innocuous little scripts that disable other functionality on the page.

The issue was raised to us when we received a customer service email about a profile that wasn't working. It turned out that the embedded code dropped on the page by the user had disabled the tabs. This has happened many times before

- users adding a redirect script to send them to a web site that looked identical to ours which had the potential for users to enter their username/password on a web site

- users completely blanking out the page so you can't do anything at all.

- Linking off to embedded files on web sites with no understanding of the owner or what that could could do.

and so on and so forth.

Trivializing it down to some hover button isn't helpful or useful. And it's kinda ignorant.

August 2, 2006

Wouldn't it, however, be possible to disable the "bad apples" and ban their IP addresses from the site rather than exclude ALL of us from using it?

For example, I was using a simple "counter" to be able to see who and when people were hitting my profile - just for the fun of it. And it was just that - fun! There was no malicious intent there what-so-ever. And, for those who use it for more interesting puzzle caches, it should, in my opinion, be available for their use as well...

Or, just make it available to premium members... (okay, okay, please no flurry of emails saying that $30 is too much $) <_<

Anyway, these are just my thoughts... I am, by NO means, a programmer and I really don't know all the nasty things that people can do with javascript. But, one would have to believe that it could be used in some safe way without banning it from everyone.

Happy caching to all!

-Glen from Team Petey.

9.4k · August 2, 2006

Wouldn't it, however, be possible to disable the "bad apples" and ban their IP addresses from the site rather than exclude ALL of us from using it?

This isn't Minority Report. I can't prejudge users and know whether they are malicious or not.

August 2, 2006

Wouldn't it, however, be possible to disable the "bad apples" and ban their IP addresses from the site rather than exclude ALL of us from using it?

This isn't Minority Report. I can't prejudge users and know whether they are malicious or not.

I completely understand what you're saying Jeremy, and I agree - I would never want anyone to prejudge anyone else on this site or any other. What I meant was: when someone is actually found to be using javascript with malicious intent, those would be the people to have their page removed, and, their IP would be banned from the site. I'm sorry if I hadn't made myself clear in that...

"Prejudge" is the originating word for "Prejudice" and, I would agree, that cannot be tolerated. Good point Jeremy... But, if someone is using the site for purposes for which it wasn't intended, GC.com should have every right to ban someone from the site.

Happy Caching to All,

-Glen from Team Petey.

9.4k · August 2, 2006

What I meant was: when someone is actually found to be using javascript with malicious intent, those would be the people to have their page removed, and, their IP would be banned from the site. I'm sorry if I hadn't made myself clear in that...

You were clear. My issue is that the damage would be done by the time I banned an account, and banning IP addresses and charging people for site tresspassing gets laughed out of courts, so it isn't effective.

Generally we work with the idea that 99.9% of people that use the site are good folks. The other %0.1 are flippin morons. So we have to deal with the flippin morons.

August 2, 2006

Sad, but true... the .1% ruin it for the rest of us... <_<

August 3, 2006

It's hardly ruined: it just means that people have to click on one extra link. You have more freedom on an external page too.

August 3, 2006

Hmmm, I wonder if that extension for Firefox called no script would work against peopls malicious codes. I have it enabled 99% of the time, even though I know it's caused a few problems with not displaying profile pages. I haven't had that problem.

The problem becomes you can't get everyone who uses GC.com to switch to FF and get that extension. And I'm not sure, but I think it only blocks *known* bad scripts. So if someone codes their own, your screwed. Although I'm 50/50 on this one, it may block codes it *thinks* are bad.

-Eric

August 3, 2006

It's hardly ruined: it just means that people have to click on one extra link. You have more freedom on an external page too.

I'm sorry alexrudd, I don't understand. How can I still track the people who hit my profile page without my javascript running?

If there's a way, I would love to do it! I just don't know enough about programming to make it happen... If it can be done, please help!

August 3, 2006

I'm sorry alexrudd, I don't understand. How can I still track the people who hit my profile page without my javascript running?

If there's a way, I would love to do it! I just don't know enough about programming to make it happen... If it can be done, please help!

Why do you need to track who hit your profile page?

August 3, 2006

I wrote the whole thing up in post number 9 of this thread... but, basically, just for fun. (If you really care, read the whole thread)

August 3, 2006

Or, just make it available to premium members... (okay, okay, please no flurry of emails saying that $30 is too much $)

I'm not a premium member, but this may help stop some malicious coders from being able to do it. I don't think someone is gonna drop $30 just to be able to do stuff with their java code. Although you'd be surprised, some people go to great lengths.

9.2k · August 3, 2006

Hmmm, I wonder if that extension for Firefox called no script would work against peopls malicious codes. I have it enabled 99% of the time, even though I know it's caused a few problems with not displaying profile pages. I haven't had that problem.

The problem becomes you can't get everyone who uses GC.com to switch to FF and get that extension. And I'm not sure, but I think it only blocks *known* bad scripts. So if someone codes their own, your screwed. Although I'm 50/50 on this one, it may block codes it *thinks* are bad.

-Eric

NoScript is currently the second most popular Firefox extension, but it doesn't evaluate scripts as "good" or "bad". It simply blocks them from running, unless it's on a site that you've already white-listed. I've found that it makes for a fairly unpleasant browsing experience, since so many sites today rely on javascript. I'm not worried too much about malicious code. I just hate sites that use scripts to try and keep me from doing ordinary browser operations, such as using context menus. The Web Developer toolbar extension lets me quickly turn java and javascript on and off as needed, to get around that.

8.9k · August 3, 2006

I don't know why this is such a big deal NOW. Jeremy is just fixing something that got broken on a filter. Way back in January of 2005 Jeremy said this:

Nothing can be imbedded into an html page on the geocaching.com web site due to security issues. Same goes for any javascript.

1.5k · August 4, 2006

I'm sorry alexrudd, I don't understand. How can I still track the people who hit my profile page without my javascript running?

If there's a way, I would love to do it! I just don't know enough about programming to make it happen... If it can be done, please help!

You don't need to use Javascript to have a functional counter. As proof, check out my profile and scroll all the way to the bottom. Refresh the page and the number should update. It helps to have your own webserver (or, in my case, a shared host), but there may be free counter sites out there that work the same way. I did it by inserting the folowing into my profile:

<img src="http://www.gsmhiker.net/counters/counter.php5">

The PHP script is one that reads the current visit count from a second file, updates the count by one, and generates an image from the number.

August 4, 2006

I don't know why this is such a big deal NOW. Jeremy is just fixing something that got broken on a filter. Way back in January of 2005 Jeremy said this:
Nothing can be imbedded into an html page on the geocaching.com web site due to security issues. Same goes for any javascript.

This is a big deal now for those of us who weren't around in Jan 05 to read what Jeremy said, and who have happily been utilizing the security-hole-we-didn't-know-was-a-security-hole. What makes it a bigger deal is that it was changed back without any announcement, breaking pages overnight. Also, the lack of any sort of list of "acceptable HTML" on the Edit Profile page makes it reasonable for us to have believed we were totally in the clear.

Basically, it's a big deal because Groundspeak didn't clearly advertise their intentions and actions.

August 4, 2006

This is a big deal now for those of us who weren't around in Jan 05 to read what Jeremy said, and who have happily been utilizing the security-hole-we-didn't-know-was-a-security-hole. What makes it a bigger deal is that it was changed back without any announcement, breaking pages overnight. Also, the lack of any sort of list of "acceptable HTML" on the Edit Profile page makes it reasonable for us to have believed we were totally in the clear.

Basically, it's a big deal because Groundspeak didn't clearly advertise their intentions and actions.

Very well said Yellow Ants.

Honestly, I've never run into malicious code on the pages. That's not to say it's not out there, but, I've just never been so unfortunate as to step into a pile of it.

I said this earlier in the thread - and not to be redundant, but, wouldn't it make sense to make it a feature that only premium members could use? I think it would be a very rare occurance that someone would actually PAY GC.com to abuse the site. However, if someone DID abuse the site, GC would have that person's name and contact info (from the payment) and could then refuse to accept that person's money in the future - thereby not allowing them to ever enter malicious script again.

Further, if someone has given GC.com their name and credit card info, it's going to be EVEN MORE UNLIKELY that they would abuse the site. (I would think most of these people try to be somewhat secretive in who they are...) Don'tcha think?

Again, just my 2 cents... but, to me, my 2 cents makes some sense...

Thanks for listening and for your consideration!

-Glen from Team Petey.

5.2k · August 4, 2006

Basically, it's a big deal because Groundspeak didn't clearly advertise their intentions and actions.

According to the Terms of Use, they don't have to.

3. License to Use Site; Restrictions
...

Groundspeak may change, suspend, or discontinue any portion of the Site, or any service offered on the Site, at any time, including but not limited to any feature, database, application, or content. Groundspeak may also impose limits on certain features offered on the Site with or without notice.

9.2k · August 4, 2006

I said this earlier in the thread - and not to be redundant, but, wouldn't it make sense to make it a feature that only premium members could use? I think it would be a very rare occurance that someone would actually PAY GC.com to abuse the site.

You're second point is probably valid, and it's probably valid for non-members as well. So that leaves the cut-n-pasters. I've already seen more than my share of horribly botched-up cache pages, caused by people who don't even know what html stands for, copying in code that makes an entire cache page unreadable, or text effects bleeding into the hints and logs. The use of htmlTidy has put a stop to most of that.

So you're thinking that just by being a paid member, someone suddenly becomes proficient in javascript? If not, I don't understand the rational behind allowing it for one group, and not another.

August 4, 2006

According to the Terms of Use, they don't have to.

That's fair enough. It still doesn't mean it wouldn't have been a good idea to announce the change to avoid shortchanging the people who were using the feature. Just because you can do something under the ToU doesn't make it smart customer relations-wise.

Oh, and Jeremy - the TB pages are still horribly insecure from the continued use of iframes.

August 4, 2006

So you're thinking that just by being a paid member, someone suddenly becomes proficient in javascript? If not, I don't understand the rational behind allowing it for one group, and not another.

Jeremy has said the option to use JS and iframes was removed due to security concerns, not because people couldn't figure how to use it properly. So while I agree with you in principle, your point isn't relevant to the reasons Groundspeak gave for why they removed them.

Edited August 5, 2006 by Yellow ants

3.1k · August 4, 2006

So is this mean we can not have the maps on our profiles anymore?

I wondered why mine had disapeared.....

8.9k · August 4, 2006

Only if your map included javascript.

Mine doesn't.

3.1k · August 4, 2006

Well then I need a new map!

I had one of those Google Hack maps or what ever they are called.

August 4, 2006

It's hardly ruined: it just means that people have to click on one extra link. You have more freedom on an external page too.

I'm sorry alexrudd, I don't understand. How can I still track the people who hit my profile page without my javascript running?

If there's a way, I would love to do it! I just don't know enough about programming to make it happen... If it can be done, please help!

The simple way is just have a link in your GC.com profile page to your own page. Then you can put it whatever you want, and your stats will be more accurate too: only people that actively wish to see your profile will click the link.

August 5, 2006

So is this mean we can not have the maps on our profiles anymore?

If you had one of the "World66.com" maps to show your geocaching states, that's not javascript, just an image. I think it's a problem with the world66.com site. Looks like they made some changes.

9.2k · August 5, 2006

So you're thinking that just by being a paid member, someone suddenly becomes proficient in javascript? If not, I don't understand the rational behind allowing it for one group, and not another.

Jeremy has said the option to use JS and iframes was removed due to security concerns, not because people couldn't figure how to use it properly. So while I agree with you in principle, your point isn't relevant to the reasons Groundspeak gave for why they removed them.

I believe he did issue concern over code that has a deliterious effect on the rest of the cache page:

The security issue is the biggest reason, but there's also "Bad coder syndrome" that occurs when people drop innocuous little scripts that disable other functionality on the page.

And how interesting that your botched attempt at quoting my message has messed up this message. Why, it's almost ironic.

August 5, 2006

Hmmm, I wonder if that extension for Firefox called no script would work against peopls malicious codes. I have it enabled 99% of the time, even though I know it's caused a few problems with not displaying profile pages. I haven't had that problem.

The problem becomes you can't get everyone who uses GC.com to switch to FF and get that extension. And I'm not sure, but I think it only blocks *known* bad scripts. So if someone codes their own, your screwed. Although I'm 50/50 on this one, it may block codes it *thinks* are bad.

-Eric

NoScript is currently the second most popular Firefox extension, but it doesn't evaluate scripts as "good" or "bad". It simply blocks them from running, unless it's on a site that you've already white-listed. I've found that it makes for a fairly unpleasant browsing experience, since so many sites today rely on javascript. I'm not worried too much about malicious code. I just hate sites that use scripts to try and keep me from doing ordinary browser operations, such as using context menus. The Web Developer toolbar extension lets me quickly turn java and javascript on and off as needed, to get around that.

Oh cool! I've had the web-developer toolbar for months now and never noticed that feature . Thanks for the 'quick tip'. I think I'll keep noscript though.

-Eric

August 5, 2006

And how interesting that your botched attempt at quoting my message has messed up this message. Why, it's almost ironic.

Just forgot the closing tag. Should we disable quoting on the forums now?

Besides, I normally put a little more care into my html than my forum posts ...

Edited August 5, 2006 by Yellow ants

August 5, 2006

I said this earlier in the thread - and not to be redundant, but, wouldn't it make sense to make it a feature that only premium members could use? I think it would be a very rare occurance that someone would actually PAY GC.com to abuse the site.

You're second point is probably valid, and it's probably valid for non-members as well. So that leaves the cut-n-pasters. I've already seen more than my share of horribly botched-up cache pages, caused by people who don't even know what html stands for, copying in code that makes an entire cache page unreadable, or text effects bleeding into the hints and logs. The use of htmlTidy has put a stop to most of that.

So you're thinking that just by being a paid member, someone suddenly becomes proficient in javascript? If not, I don't understand the rational behind allowing it for one group, and not another.

I didn't mean to say that being a paid member would suddenly make one proficient in JS. (I don't think I even inferred that...) But, what I said was, it should only be available to paid members. This, in my opinion, would do 2 things:

1. It would offer another feature that GC.com could use to gain new, paying members. (Because, let's face it, GC doesn't run on love of geocaching alone). AND

2. It would limit the amount of JS in cache pages to those who are honestly TRYING to do interesting and fun things with their pages - not create black holes for the unwary to step into. And, therefore, it would be easier for the moderators of the site to monitor and remove the truly malicious stuff.

Finally, I believe that a person's cache pages and profile page are their to do with as they see fit. You said (and I again quote), "I've already seen more than my share of horribly botched-up cache pages, caused by people who don't even know what html stands for, copying in code that makes an entire cache page unreadable, or text effects bleeding into the hints and logs." What might appear "botched-up" to you might be the result of someone's hard work - and they may well be proud of that. No, not everyone is proficient at JS nor HTML - but, we try... and, I think as paying members, it wouldn't be unreasonable to allow us to TRY to make our pages as fun and interesting as we can - even if you think we "botched" it up.

9.2k · August 6, 2006

I didn't mean to say that being a paid member would suddenly make one proficient in JS. (I don't think I even inferred that...) But, what I said was, it should only be available to paid members. This, in my opinion, would do 2 things:

1. It would offer another feature that GC.com could use to gain new, paying members. (Because, let's face it, GC doesn't run on love of geocaching alone). AND

Yeah, I'm sure that's what holding back hoards of people from getting memberships. :rolleyes:

2. It would limit the amount of JS in cache pages to those who are honestly TRYING to do interesting and fun things with their pages - not create black holes for the unwary to step into. And, therefore, it would be easier for the moderators of the site to monitor and remove the truly malicious stuff.

Actually, the system they've just re-enabled does that very well. It limits it to zero, which is fine by me.

Finally, I believe that a person's cache pages and profile page are their to do with as they see fit.

:lol: :lol: :lol: :lol: :lol: :lol: :laughing:

Funniest thing I've read all day! You might want to make yourself familiar with the TOU.

You said (and I again quote), "I've already seen more than my share of horribly botched-up cache pages, caused by people who don't even know what html stands for, copying in code that makes an entire cache page unreadable, or text effects bleeding into the hints and logs." What might appear "botched-up" to you might be the result of someone's hard work - and they may well be proud of that. No, not everyone is proficient at JS nor HTML - but, we try... and, I think as paying members, it wouldn't be unreasonable to allow us to TRY to make our pages as fun and interesting as we can - even if you think we "botched" it up.

No, when I say "botched up", that's what I mean. I doubt if anyone would be "proud" of having broken image tags that are referencing pictures sitting on their local C: drive, or badly constructed tables that force half the cache page off the screen.

8.9k · August 6, 2006

Finally, I believe that a person's cache pages and profile page are their to do with as they see fit.

Sure they are - on your own site. If you need a profile or a cache page that has JS, host it on your own site, then link to it on your GC.com pages.

Edited August 6, 2006 by Markwell

August 7, 2006

Prime Suspect - your arrogance amazes me. Best of luck to you going forward...

And, Markwell, I agree with you completely. I was simply making the point that cache pages can be fun and creative as well... you're 100% right.

I'm checking out of this thread. I've said what I believe - and, once the sarcasm starts (prime suspect's post, 2 prior to this one), there's no reason to stay and get verbally "beat up". There's no excuse to go beyond civil and resort to snide, sarcastic and rude statements.

All the best to everyone - and happy caching to all.

-Glen from Team Petey.

edit for content.

Edited August 7, 2006 by Team Petey

9.2k · August 8, 2006

Zuzu says, "Every time someone says you're sarcastic... an angel gets its wings!" :anitongue:

New Html Filter ?

Recommended Posts

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment