What about active code - java, javascript, flash?

February 13, 2008

Hi

I tried to find something with some searches in the forum - but the topics I found, dealed with other topics.

My question is:

The guidelines say:

>> In the interest of file security, caches that require the downloading, installing or running of data and/or

>> executables may not be published.

Now - what does this mean to a cache listing?

Are java-tools or javascript-tools or flash-tools allowed in a listing?

Sometimes you see counter on a cachelisting. But what about "bigger" applications or java-applets?

Are they in agreement with the guidelines?

I think, applets and flash aren't allowed. Javascript like counters are ok and should be provided by Groundspeak itself. Other code from third party servers should be filtered.

thanks for answers.

21.9k · February 13, 2008

These things are not allowed. Either they will be stripped out automatically by HTML Tidy, or your cache will be questioned by the volunteer cache reviewer (assuming they notice the issue).

February 13, 2008

Hi

I tried to find something with some searches in the forum - but the topics I found, dealed with other topics.

My question is:

The guidelines say:

>> In the interest of file security, caches that require the downloading, installing or running of data and/or

>> executables may not be published.

Now - what does this mean to a cache listing?

Are java-tools or javascript-tools or flash-tools allowed in a listing?

Sometimes you see counter on a cachelisting. But what about "bigger" applications or java-applets?

Are they in agreement with the guidelines?

I think, applets and flash aren't allowed. Javascript like counters are ok and should be provided by Groundspeak itself. Other code from third party servers should be filtered.

thanks for answers.

Call me curious... Have you come across any listings which contained "java-tools or javascript-tools or flash-tools" or java-applets? Or were you planning on publishing a listing which would contain any of these?

I can see where a nice cache hider could use these tools to create an really nice, enhanced experience. I can also see where a malicous coder could use java-applets to do harm to a site visitors computer. Although the enhanced experience would be nice, in the interest of security, I think we should just stick with HTML.

Just my $0.02. Keep the change. :anibad:

9.2k · February 13, 2008

Javascript like counters are ok and should be provided by Groundspeak itself.

Most counters do not use client-side javascript. They're just images created on the fly by the remote server, which is tracking requests.

February 13, 2008

Also some of these are not platform independent, using some of these client side executed programs would limit the accessibility to the listing to a certain operating system. I would expect this would also not be a good thing.

// Tapio

Edited February 13, 2008 by OH2TH

4.9k · February 13, 2008

…

Call me curious... Have you come across any listings which contained "java-tools or javascript-tools or flash-tools" or java-applets? …

here we are:

Sprungtor Witten (TB und GC 5* Hotel) (GC189FR) by LordShelmchen (2/1)

Rettet Agent Smith (Nachtcache) (GC1866D) by chris_rocks31 (3/3)

Nicht noch ein Bahnhofs-Cache... (GC17G7M) by chris_rocks31 (1,5/1,5)

A2 bei Henrichenburg -> Oberhausen (GC13ZXX) by Michako (1/1)

TB-Hotel - Airport Düsseldorf - DUS StopOver (GC193BP) by -jha- (1/1,5)

Unter allen Wipfeln ist Ruh´ (GC15ZKR) by Pedalritter (1/1,5)

Barenborg (GC13596) by Pedalritter (1,5/1,5)

Ehrenmal Wolbeck (GC185WG) by Team Blaubär (1/1)

Altes Freibad (GC135A9) by Pedalritter (1/1,5)

Kreuzung (TB Hotel) (GCZEX4) by awema (1,5/2)

Mühlengeist (GC14A0R) by awema (1/2)

Zweischneidiges Andenken (GC16GW8) by patchworkerx (1/1)

…

09-HH "Wo bin ich?" (GC17CFR) by ageta (1,5/1,5)

TT11 - Blau-Gold (GCZK0Y) by ageta (1/1,5)

Heimat und Sachkundeunterricht 1: Engerling (GC1914Y) by Der wahre Eumel (2/2,5)

Wildes Moor (GCVMZQ) by ageta (1/1)

Lord of Elbing (GC18NJR) by chipkrieger (2,5/1,5)

KGV Glashuette (GCVN7D) by ageta (1,5/1,5)

Formel verloren (GC11BK0) by ageta (2,5/1,5)

Pastorpark Nr.2 (GC18HHY) by ageta (2/1,5)

happy code cleaning. :anibad:

edit: erased corrected caches.

Edited February 13, 2008 by HHL

February 13, 2008

Javascript like counters are ok and should be provided by Groundspeak itself.

Most counters do not use client-side javascript. They're just images created on the fly by the remote server, which is tracking requests.

sure - but included scripts can harm a system. You know that there exist exploits, that aren't harmless. A counter is nothing to discuss. This should be possible - I'm talking about "bigger" things, that should be prevented

Call me curious... Have you come across any listings which contained "java-tools or javascript-tools or flash-tools" or java-applets? Or were you planning on publishing a listing which would contain any of these?

No - not me. I'm fighting against. see HHL's posting.. others do so

My opinion is:

all active code from third party servers have to be filtered. Groundspeak should provide easy scripts like counters itself. All other code should be forbidden or filtered.

I have not the desire to get damage code via "cross-site-scripting"

21.9k · February 13, 2008

I followed a few of the links in the above list. Each one took me to a cache page that had a java applet for a geocache rating site. Java applets are not permitted on cache pages.

I am guessing that this code was added to the cache pages post-publication. A quick note to one of your friendly volunteer cache reviewers should lead to the removal of the impermissible code.

1.5k · February 13, 2008

…

Call me curious... Have you come across any listings which contained "java-tools or javascript-tools or flash-tools" or java-applets? …

here we are:

<<< list of caches >>>

Wow. I didn't think you could do that without the website stripping out the embedded code. Also, I wonder why a java applet is even needed in this case, when you could use a dynamically generated image that links to a page where you can cast a vote.

Oh, and I inadvertently voted on a cache while I was checking out one of those links. :lol:

2.2k · February 13, 2008

Either they will be stripped out automatically by HTML Tidy,

IMHO it would be a good idea to remove everything except plain text and pictures in jpg format.

February 13, 2008

Either they will be stripped out automatically by HTML Tidy,

IMHO it would be a good idea to remove everything except plain text and pictures in jpg format.

I don't necessarily agree with being that aggresive. I use HTML to create a nice and interesting layout for my cache pages. I don't include any third-party code or scripting, just plain HTML.

I can agree with stripping out/filtering third-party scripts, java, flash,etc for the protection of the site visitors computers, but their is nothing really harmful with plain old HTML.

February 13, 2008

I fully understand and agree that these things (flash, java, etc.) should not be allowed to be embedded in cache pages. Geocaching.com is not a web site host service, so these things should not be expected. However, if I wanted to make flash, java, or whatever a requirement to find a cache, can I just provide a link to my web page on the cache page? (I have my own web server :lol: ). Or is this still violating the requirement because potential cachers would need to have the flash player, or some other browser plugin installed?

2.3k · February 13, 2008

I fully understand and agree that these things (flash, java, etc.) should not be allowed to be embedded in cache pages. Geocaching.com is not a web site host service, so these things should not be expected. However, if I wanted to make flash, java, or whatever a requirement to find a cache, can I just provide a link to my web page on the cache page? (I have my own web server ). Or is this still violating the requirement because potential cachers would need to have the flash player, or some other browser plugin installed?

I'm no expert, but that situation is OK as I had asked, in person, our local reviewer that question a couple years ago, even before the statements in the Cache Placement Guidelines were written.

But, don't force people to load some specialty software such as an Enigma decoder, or a special sound processing program that's not available from millions of places. Those are a no-no.

As the guidelines state, "There is no precedent for placing caches...".

And violations of stuff being added to a cache page after a publication will slowly be weeded out when the reviewers, or TPTB, ever see it or are informed of it. And other, now not allowed, things like active html will be weeded out whenever the cache owner edits his cache page and HTMLTidy gets a chance to see the cache.