Jump to content

HTML not displaying


showbizkid

Recommended Posts

Jeremy...

 

I'm not sure I understand the Flash issues. The link you provided seemed to say that there WAS a way to make Flash work on your site without allowing malicious scripting in the section entitled "What Macromedia Is Doing". But since I'm not a programmer or web master, I could be wrong. Would you please clarify this. Are you going to be able to fix it so we can use Flash again?

 

Thanks...

 

Scott

Link to comment

quote:
Originally posted by BeachBuddies:

 

Also, my <SELECT> tags are no longer working on any of my cache pages. I'll provide links

if you need them.

 

Thanks.


The same with mine

 

icon_mad.gifFormer EarthNOlink user!!!!!!!!! icon_mad.gif

 

icon_biggrin.gifTake a chance or you'll never know. Let your spirits soar! icon_wink.gif

Link to comment

This is one of the most ill-conceived steps I've ever seen this site take. What possible reason is there behind stripping out the <s>strikeout</s> font tag? Or stripping out alignment codes? Or the "clear=all" modifier on break tags?

 

A classic case of throwing out the baby with the bathwater.

 

3608_2800.gif

"Don't mess with a geocacher. We know all the best places to hide a body."

Link to comment

I think it's all rather simple. Rather than go with the obvious but wrong "strip out all the stuff we know is dangerous" solution, Jeremy went with the far superior "only allow that which we know is safe" solution. And he missed a few things, like tags that aren't in the spec or that aren't very common, and various attributes of common tags.

 

pirate.cgi.gif

Link to comment

I understand the security implications of javascript on cache pages, and I appreciate that it's being stripped out.

 

But nobody has answered my earlier question, and so I insert it here because it's been so completely ignored:

 

Why is javascript required to edit or delete my own finds?

Link to comment

quote:
Originally posted by fizzymagic:

I understand the security implications of javascript on cache pages, and I appreciate that it's being stripped out.

 

But nobody has answered my earlier question, and so I insert it here because it's been so completely ignored:

 

_Why is javascript _required_ to edit or delete my own finds?_


 

Agree, but there are tags other than javascript not working.

 

icon_mad.gifFormer EarthNOlink user!!!!!!!!! icon_mad.gif

 

icon_biggrin.gifTake a chance or you'll never know. Let your spirits soar! icon_wink.gif

 

[This message was edited by rldill on October 10, 2003 at 02:13 PM.]

Link to comment

quote:
Originally posted by Jeremy:

onClick events are JavaScript, and have been removed


Ouch. You mean ONCLICK...alert('a message'); is a security threat???

I used as a way to provide 2nd-level additional clues (i.e. by clicking 'Decrypt' a user visualizes a few hints; to get an additional hints, it's necessary to click again).

http://www.geocaching.com/seek/cache_details.aspx?pf=&ID=95638&decrypt=y&log=

The "original source" which the owner can see by opting to edit the cache still shows the correct javascript, but it is no longer displayed on the cache page.

Jeremy, I didn't invent this schema. Others used it to give hints to puzzle caches before, and I guess they are screwed as well. Any suggestion what to use instead of this?

 

Also FORM / INPUT tags are no longer allowed. For another puzzle cache,

http://www.geocaching.com/seek/cache_details.aspx?ID=92663 , I was trying to put a mini-calculator in the cache description, to let the cachers see for themselves if the solution they chose makes sense (that's after one of our younger, more careless local cachers decided to check an incorrect solution which might have lead him to a dangerous terrain). But my HTML is stripped clean after editing.

 

Just wondering, were there any complaints which lead to this action? Or it is another unprovoked adjustment?

Link to comment

<U> is stripped too, and <FONT SIZE='+1'> disabled.

 

icon_smile.gif I just visualize the Frog sitting by a terminal brooding ... server capacity is too small and revenues too low, and people don't show their appreciation anymore (other than by hiding and finding things by bundles).

 

What to do? How to get even with this life? Ah ... let's screw a thousand smarta$s cachers tonight <EXTRA-WIDE FROGGY SMILE HERE>

Link to comment

quote:
Originally posted by MOCKBA:

Also FORM / INPUT tags are no longer allowed.

....

Just wondering, were there any complaints which lead to this action? Or it is another unprovoked adjustment?


See my post on the previous page for why allowing arbitrary forms is a security issue.

 

pirate.cgi.gif

Link to comment

quote:
Originally posted by Warm Fuzzies - Fuzzy:

See my post on the previous page for why allowing arbitrary forms is a security issue.


Ain't talking arbitrary forms here. In my case there is no ACTION field and no off-site URLs are ever mentioned.

If you really want to be proactive and prevent malicious cache description pages, why not have the *approvers* decide what HTML belongs on a page. Rather than to have a decision made automatically by the equivalent of a braindead safety officer, with no recourse?

Link to comment

Most of the formatting tags have now been reintroduced to the site, including the <br clear="all">, underline, strikeout, big, small, etc.

 

Let us know if we missed anything formatting-wise.

 

With regard to the <embed> tag, you can embed just about anything into a page that is supported by the browser. As a result any future security issues known and unknown could happen to an unsuspecting visitor on the site.

 

smile.gif Jeremy Irish

Groundspeak - The Language of Location

Link to comment

Yes, if we're missing a design tag somewhere, let me know and I'll add it.

 

Regarding <fieldset> and <legend> tags, I don't know much about them, but as an IE user I'm concerned by this:

 

<LEGEND STYLE="filter: progid:DXImageTransform.Microsoft.Shadow(color=silver,direction=135);">

 

This is one of the reasons why we are explicitly allowing certain items on cache pages. Is this harmless? Looks like an ActiveX function which may (who knows?) be exploited.

 

smile.gif Jeremy Irish

Groundspeak - The Language of Location

Link to comment

quote:
Originally posted by Jeremy:

Yes, if we're missing a design tag somewhere, let me know and I'll add it.

 

Regarding <fieldset> and <legend> tags, I don't know much about them, but as an IE user I'm concerned by this:

 

<LEGEND STYLE="filter: progid:DXImageTransform.Microsoft.Shadow(color=silver,direction=135);">

 

This is one of the reasons why we are explicitly allowing certain items on cache pages. Is this harmless? Looks like an ActiveX function which may (who knows?) be exploited.

 

smile.gif Jeremy Irish

Groundspeak - The Language of Location


Thanks for the reply, Jeremy. That is a filter that creates a silver shadow effect to the text. Again, it is not vital to my page so I would be happy to remove it, but the STYLE attribute can be applied to any tag. You could just as easily have that on a P tag as my LEGEND tag. I don't know of a security concern over the STYLE attribute since it generally changes the way the sections appear and has no automation or script feature.

 

The "filter" attribute is generally ignored by all non-IE browsers.

Link to comment

quote:
Originally posted by CrimsonWrath:

Again, it is not vital to my page so I would be happy to remove it, but the STYLE attribute can be applied to any tag.


 

Good point. I enabled those tags. Also you used style for body and I added that too. Nice background color... not hard on the eyes like some background images I've seen.

 

smile.gif Jeremy Irish

Groundspeak - The Language of Location

Link to comment

quote:
Originally posted by Jeremy:

Good point. I enabled those tags. Also you used style for body and I added that too. Nice background color... not hard on the eyes like some background images I've seen.


Unfortunately, it does render the copyright at the bottom a bit difficult to read. Perhaps the menu and/or the copyright should be isolated with a specific background style so that when other people override the BODY's background with "hard on the eyes" images or colors, they will remain legible.

 

Just a thought.

Link to comment

quote:
Originally posted by Jeremy:

quote:
Originally posted by Doc-Dean:

Dilbert humor...


 

Psst. You spelled Groundspeak wrong.

 

smile.gif Jeremy Irish

Groundspeak - The Language of Location


Heh!! Good catch! icon_biggrin.gif

Glad to see you can take a joke!

 

---------------------------------------------------

Free your mind and the rest will follow 30296_400.gif

 

mystats.php?userid=Doc-Dean&vopt=user&txtdata=I%20am%20Still%20Ignoring%20Stats!!&bgcol=3333ff&fgcol=ffff99

Link to comment

quote:
Originally posted by Jeremy:

Most of the formatting tags have now been reintroduced to the site, including the <br clear="all">, underline, strikeout, big, small, etc.

 

Let us know if we missed anything formatting-wise.


The "align=" parameter on the <img> tag needs to be implemented.

 

"Don't mess with a geocacher. We know all the best places to hide a body."

Link to comment

quote:
Originally posted by Prime Suspect:

 

The "align=" parameter on the <img> tag needs to be implemented.


 

I just had left and right, but just added:

 

absbottom

absmiddle

baseline

bottom

left

middle

cright

texttop

top

 

smile.gif Jeremy Irish

Groundspeak - The Language of Location

Link to comment

quote:
Originally posted by Jeremy:

quote:
Originally posted by Prime Suspect:

 

The "align=" parameter on the <img> tag needs to be implemented.


 

I just had left and right, but just added:

 

absbottom

absmiddle

baseline

bottom

left

middle

cright

texttop

top

 

smile.gif Jeremy Irish

Groundspeak - The Language of Location


 

Hmmm. If you take a look at my Edendale in the Golden Age of Silent Film cache, it contains a number of

quote:
<img align="right">
tags where the align=right part is being stripped out. This is true of the very first img in the first paragraph, for example.

 

Am I correct in understanding that this "sanitization" of the HTML is occurring "on the fly", and that my original HTML source as was submitted has not been monged? In other words, as you get the bugs sorted out here, the display will just sort itself out and I needn't edit my cache page to re-submit my HTML?

 

Are the details of what is/isn't going to be accepted published anywhere? That would be helpful.

 

Thanks,

 

Tom Chatt (DeadReckoner)

Link to comment

quote:
Originally posted by Doc-Dean:

2 more:

 

In <img> tag, need to add "BOARDER="

 

Also can you add <MARQUEE>


 

You mean "border?" I have border=0 through border=3

 

I added marquee with much hesitation.

 

smile.gif Jeremy Irish

Groundspeak - The Language of Location

Link to comment

quote:
Originally posted by Doc-Dean:

The "BGPROPERTIES=FIXED" parameter on the <BODY BACKGROUND> tag needs to be added.


 

Ok. I added it. When folks make suggestions, please point to a cache so I can double-check it works.

 

smile.gif Jeremy Irish

Groundspeak - The Language of Location

Link to comment

quote:
Originally posted by Jeremy:

You mean "border?" I have border=0 through border=3

 

I added marquee with much hesitation.

 

smile.gif Jeremy Irish

Groundspeak - The Language of Location


hmm... the part of my brain in charge of spelling seems to be off today... Thanks!

 

Marquee is not bad as long as its not used in an obnoxious way.

 

---------------------------------------------------

Free your mind and the rest will follow 30296_400.gif

 

mystats.php?userid=Doc-Dean&vopt=user&txtdata=I%20am%20Still%20Ignoring%20Stats!!&bgcol=3333ff&fgcol=ffff99

Link to comment

quote:
Originally posted by Jeremy:

Ok. I added it. When folks make suggestions, please point to a cache so I can double-check it works.


That's hard to do when its been stripped out already.

 

I added it back in and you can check it here

 

---------------------------------------------------

Free your mind and the rest will follow 30296_400.gif

 

mystats.php?userid=Doc-Dean&vopt=user&txtdata=I%20am%20Still%20Ignoring%20Stats!!&bgcol=3333ff&fgcol=ffff99

Link to comment

quote:
Originally posted by Doc-Dean:

quote:
Originally posted by Jeremy:

Ok. I added it. When folks make suggestions, please point to a cache so I can double-check it works.


That's hard to do when its been stripped out already.

 

I added it back in and you can check it http://www.geocaching.com/seek/cache_details.aspx?guid=c816d049-7811-4289-b988-3ff064236eef

 


 

I don't understand what people are talking about with their cache HTML having been stripped out. My experience was that the cache description HTML as stored in the database was never altered. Any "stripping" was happening at the time that the displayed HTML was getting generated. The upshot being that if you have harmless HTML that was being filtered, and Jeremy then adds those tags to the "allowed" list, you don't have to "add it back in" to your cache description. It's still there from before.

 

At least that's how it was for me. Jeremy re-enabled img align=right, and now my cache displays properly again. I didn't change anything when it got broken, and I didn't change anything when it got fixed.

 

Tom Chatt (DeadReckoner)

Link to comment

quote:
Originally posted by The Edenites:

_Where is the list of tags we are allowed to use posted?_


 

Most, if not all of standard HTML should be allowed now. My suggestion (which I believe is on the report a cache page) is to write your cache page off-site before posting it. This is beneficial for two reasons: First you save a copy (which you should _always_ do) and second so you don't get logged out when reporting the cache.

 

No JavaScript is allowed, and no embedded items. I'll work on a more detailed list for the page so you can see it.

 

smile.gif Jeremy Irish

Groundspeak - The Language of Location

Link to comment

quote:
I don't understand what people are talking about with their cache HTML having been stripped out. My experience was that the cache description HTML as stored in the database was never altered. Any "stripping" was happening at the time that the displayed HTML was getting generated. The upshot being that if you have harmless HTML that was being filtered, and Jeremy then adds those tags to the "allowed" list, you don't have to "add it back in" to your cache description. It's still there from before.

 

At least that's how it was for me. Jeremy re-enabled img align=right, and now my cache displays properly again. I didn't change anything when it got broken, and I didn't change anything when it got fixed.

 

Tom Chatt (DeadReckoner)


 

Well in my case, the page seemed to be missing MANY very necessary tags causing it to go completely haywire. It seemed as if the code was actually "stripped out" because when I looked at the code in the "Long Description" box, the code was not what I had previously put in there.

 

What I did was format the page off-line and copy the HTML code into the "Long Description" box.

 

Then I hit "Edit Listing"

 

When the page refreshed, I copied the HTML code into Microsoft Word and compared the two.

 

Then I realized exactly what tags were "stripped"

 

With Jeremy's re-enabled some of the tags and with my own editing, the page is perfect again.

 

The only real edit I had to make was to replace my font style tags to accrual font tags.

 

Now if the style features were re-enabled, my original code would still be fine.

Link to comment

quote:

 

Originally posted by Jeremy:

 

With regard to the <embed> tag, you can embed just about anything into a page that is supported by the browser. As a result any future security issues known and unknown could happen to an unsuspecting visitor on the site.

 


 

Sorry but I'm still confused. Does this mean we can still use Flash (.swf) files?

 

Scott of Team GeoDillo

Link to comment

quote:
Originally posted by Jeremy:

Some scripting will not be allowed. Sorry.


 

Can you be somewhat more specific what will be allowed and what not.

It is extremely cumbersome to rectify things when you don´t know what works and what not.

 

Wolfgang

Link to comment

It seems that my <font color="darkgreen"> is missing, but that is a good thing, as it tends to make WATCHER hiccup.

 

I guess I should have not been lazy, and used the Hex Code for that non-standard color.

 

Maybe TPTB could come up with a couple of easy to use forms or sample HTML for some people to use to make a less-plain cache page. Then all the HTML would be right.......I hope.

 

DustyJacket

Not all those that wander are lost. But in my case... icon_biggrin.gif

Link to comment

DustyJacket reports trouble with <font color="darkgreen">, and I know I had trouble with <img align="right"> (though it's been fixed now). It makes me wonder why TPTB think it's important to restrict the *values* of attributes. It seems that an *attribute* (such as "color" or "align") is either benign or it isn't. If it is benign, what does it matter what the value is?

 

The approach of restricting to a known "safe" list of HTML (as opposed to filtering known "dangerous" HTML) is the right thing to do from a security standpoint, as has already been pointed out here. But carrying it any further than is necessary for the security reasons is just to invite these sorts of problems. In this case of filtering the *values* of benign attributes, I think it is going further than necessary.

 

Tom Chatt (DeadReckoner)

Link to comment

I am new at HTML, but what I had written was working before. Cox woods This is a drop down box, Are we not allowed to use them any more? Also the HTML in the Additional hints does not work.

 

<SELECT size=name="URL" onChange="if(options[selectedIndex].value) window.location.href= (options[selectedIndex].value)"

style="font-family: Comic Sans MS, Sans Serif; color: white; background-color: green; font-size: 1em">

<OPTION value=>Mysteries Inc. caches</OPTION>

<OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=69565">Rothrocks Mill </OPTION>

<OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=77615">Lick Creek </OPTION>

<OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=77606">Valeene </OPTION>

<OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=77816">Twin Caves </OPTION>

<OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=79667">Cox Woods </OPTION>

<OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=83128">Battle of Corydon </OPTION> <OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=88498">Kewl Tree </OPTION><OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=92218">Kelp me find the cache! </OPTION><OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=93327">Peace and Quiet </OPTION>

<OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=93324">Get your daily dose of Iron </OPTION><OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=93500">Millennium project </OPTION></SELECT>

 

~Shaggy~

 

 

"Their poverty, combined with their naivete and limited knowledge of the world, left them no choice but to put cheap, uninteresting stuff in their time capsule." -- from an article in the ONION, 14 Oct. 1999

Link to comment

quote:
Originally posted by Jomarac5:

It appears that the following are not being accepted:

 

Both _align=left_ and _align=right_ in the img tag.

 

_Border=0_ in the img tag.


This is what I learned while cleaning up my cache pages:

 

If align or border come before src then the contents of the img tag are deleted.

 

If align or border come after src then it works ok.

 

But, hspace & vspace don't work in either case, and alt can't have a ! in it's value.

Link to comment

Jeremy,

 

I am a bit confused. No tags were "stripped" from my cache pages, but a link, using an image, to our local geocaching site no longer displays. The HTML for the link is still on each cache page when you go to the edit page, but it does not show up on the cache page.

 

I believe I was already following all the formatting you suggest.

 

Does this mean that i shouldn't use an image in a link, or just not an image that is on another site? I could easily change the link to text, but was wondering if an image was okay or not.

 

I have supplied links to my three most recent caches. All the geocaching info is working fine, but I like to link to our local info site.

 

Morgan Trailhead

 

Lakepoint Park V2.0

 

Dreadnaught Memorial

 

Thanks,

Dave_W6DPS

Link to comment
Guest
This topic is now closed to further replies.
×
×
  • Create New...