+Sissy-n-CR Posted October 10, 2003 Share Posted October 10, 2003 I guess I can look this at this as a blessing in disguise. I've been thinking about reworking my caches so it looks better on a PDA, now I guess I'm forced to. I'll probably end up pulling a couple anyway. CR Link to comment
+Team GeoDillo Posted October 10, 2003 Share Posted October 10, 2003 Jeremy... I'm not sure I understand the Flash issues. The link you provided seemed to say that there WAS a way to make Flash work on your site without allowing malicious scripting in the section entitled "What Macromedia Is Doing". But since I'm not a programmer or web master, I could be wrong. Would you please clarify this. Are you going to be able to fix it so we can use Flash again? Thanks... Scott Link to comment
+rldill Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by BeachBuddies: Also, my <SELECT> tags are no longer working on any of my cache pages. I'll provide links if you need them. Thanks. The same with mine Former EarthNOlink user!!!!!!!!! Take a chance or you'll never know. Let your spirits soar! Link to comment
+Prime Suspect Posted October 10, 2003 Share Posted October 10, 2003 This is one of the most ill-conceived steps I've ever seen this site take. What possible reason is there behind stripping out the <s>strikeout</s> font tag? Or stripping out alignment codes? Or the "clear=all" modifier on break tags? A classic case of throwing out the baby with the bathwater. "Don't mess with a geocacher. We know all the best places to hide a body." Link to comment
+parkrrrr Posted October 10, 2003 Share Posted October 10, 2003 I think it's all rather simple. Rather than go with the obvious but wrong "strip out all the stuff we know is dangerous" solution, Jeremy went with the far superior "only allow that which we know is safe" solution. And he missed a few things, like tags that aren't in the spec or that aren't very common, and various attributes of common tags. Link to comment
+fizzymagic Posted October 10, 2003 Share Posted October 10, 2003 I understand the security implications of javascript on cache pages, and I appreciate that it's being stripped out. But nobody has answered my earlier question, and so I insert it here because it's been so completely ignored: Why is javascript required to edit or delete my own finds? Link to comment
+rldill Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by fizzymagic:I understand the security implications of javascript on cache pages, and I appreciate that it's being stripped out. But nobody has answered my earlier question, and so I insert it here because it's been so completely ignored: _Why is javascript _required_ to edit or delete my own finds?_ Agree, but there are tags other than javascript not working. Former EarthNOlink user!!!!!!!!! Take a chance or you'll never know. Let your spirits soar! [This message was edited by rldill on October 10, 2003 at 02:13 PM.] Link to comment
MOCKBA Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Jeremy:onClick events are JavaScript, and have been removed Ouch. You mean ONCLICK...alert('a message'); is a security threat??? I used as a way to provide 2nd-level additional clues (i.e. by clicking 'Decrypt' a user visualizes a few hints; to get an additional hints, it's necessary to click again). http://www.geocaching.com/seek/cache_details.aspx?pf=&ID=95638&decrypt=y&log= The "original source" which the owner can see by opting to edit the cache still shows the correct javascript, but it is no longer displayed on the cache page. Jeremy, I didn't invent this schema. Others used it to give hints to puzzle caches before, and I guess they are screwed as well. Any suggestion what to use instead of this? Also FORM / INPUT tags are no longer allowed. For another puzzle cache, http://www.geocaching.com/seek/cache_details.aspx?ID=92663 , I was trying to put a mini-calculator in the cache description, to let the cachers see for themselves if the solution they chose makes sense (that's after one of our younger, more careless local cachers decided to check an incorrect solution which might have lead him to a dangerous terrain). But my HTML is stripped clean after editing. Just wondering, were there any complaints which lead to this action? Or it is another unprovoked adjustment? Link to comment
MOCKBA Posted October 10, 2003 Share Posted October 10, 2003 <U> is stripped too, and <FONT SIZE='+1'> disabled. I just visualize the Frog sitting by a terminal brooding ... server capacity is too small and revenues too low, and people don't show their appreciation anymore (other than by hiding and finding things by bundles). What to do? How to get even with this life? Ah ... let's screw a thousand smarta$s cachers tonight <EXTRA-WIDE FROGGY SMILE HERE> Link to comment
+Doc-Dean Posted October 10, 2003 Share Posted October 10, 2003 --------------------------------------------------- Free your mind and the rest will follow Link to comment
+parkrrrr Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by MOCKBA:Also FORM / INPUT tags are no longer allowed. .... Just wondering, were there any complaints which lead to this action? Or it is another unprovoked adjustment? See my post on the previous page for why allowing arbitrary forms is a security issue. Link to comment
MOCKBA Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Warm Fuzzies - Fuzzy:See my post on the previous page for why allowing arbitrary forms is a security issue. Ain't talking arbitrary forms here. In my case there is no ACTION field and no off-site URLs are ever mentioned. If you really want to be proactive and prevent malicious cache description pages, why not have the *approvers* decide what HTML belongs on a page. Rather than to have a decision made automatically by the equivalent of a braindead safety officer, with no recourse? Link to comment
+SnitserNL Posted October 10, 2003 Share Posted October 10, 2003 <quote>Some tags like <big> and <table border> were items that aren't formally recognized, but we're adding them to the list since they are harmless.</quote> Please add <small> too. I'm using it quite a lot! Greetz, Peetee Link to comment
+CrimsonWrath Posted October 10, 2003 Share Posted October 10, 2003 I've been using the FIELDSET and LEGEND tags to create a unique layout. Use of those two fields are very minor to my needs (read "I can rewrite my pages if they are not allowed") and also seem not to pose a security risk (that I know of). Any chance they can be permitted or should I change the layout of the page? Reference Cache: Corvette 50th Birthday Cache Link to comment
Jeremy Posted October 10, 2003 Share Posted October 10, 2003 Most of the formatting tags have now been reintroduced to the site, including the <br clear="all">, underline, strikeout, big, small, etc. Let us know if we missed anything formatting-wise. With regard to the <embed> tag, you can embed just about anything into a page that is supported by the browser. As a result any future security issues known and unknown could happen to an unsuspecting visitor on the site. Jeremy Irish Groundspeak - The Language of Location Link to comment
Jeremy Posted October 10, 2003 Share Posted October 10, 2003 Yes, if we're missing a design tag somewhere, let me know and I'll add it. Regarding <fieldset> and <legend> tags, I don't know much about them, but as an IE user I'm concerned by this: <LEGEND STYLE="filter: progid:DXImageTransform.Microsoft.Shadow(color=silver,direction=135);"> This is one of the reasons why we are explicitly allowing certain items on cache pages. Is this harmless? Looks like an ActiveX function which may (who knows?) be exploited. Jeremy Irish Groundspeak - The Language of Location Link to comment
+CrimsonWrath Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Jeremy:Yes, if we're missing a design tag somewhere, let me know and I'll add it. Regarding <fieldset> and <legend> tags, I don't know much about them, but as an IE user I'm concerned by this: <LEGEND STYLE="filter: progid:DXImageTransform.Microsoft.Shadow(color=silver,direction=135);"> This is one of the reasons why we are explicitly allowing certain items on cache pages. Is this harmless? Looks like an ActiveX function which may (who knows?) be exploited. Jeremy Irish Groundspeak - The Language of Location Thanks for the reply, Jeremy. That is a filter that creates a silver shadow effect to the text. Again, it is not vital to my page so I would be happy to remove it, but the STYLE attribute can be applied to any tag. You could just as easily have that on a P tag as my LEGEND tag. I don't know of a security concern over the STYLE attribute since it generally changes the way the sections appear and has no automation or script feature. The "filter" attribute is generally ignored by all non-IE browsers. Link to comment
mikeh420 Posted October 10, 2003 Share Posted October 10, 2003 We gotta ask this question: What's more important, a cool looking web page, or a great cache placement? With some of the caches I've seen, if as much effort placing the cache as writing the web page, it would be great. Link to comment
+CrimsonWrath Posted October 10, 2003 Share Posted October 10, 2003 As a follow up, if you are interested in the Filter Attribute, check filter Attribute | filter Property from Microsoft's MSDN site. Link to comment
Jeremy Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by CrimsonWrath:Again, it is not vital to my page so I would be happy to remove it, but the STYLE attribute can be applied to any tag. Good point. I enabled those tags. Also you used style for body and I added that too. Nice background color... not hard on the eyes like some background images I've seen. Jeremy Irish Groundspeak - The Language of Location Link to comment
Jeremy Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Doc-Dean:Dilbert humor... Psst. You spelled Groundspeak wrong. Jeremy Irish Groundspeak - The Language of Location Link to comment
+CrimsonWrath Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Jeremy:Good point. I enabled those tags. Also you used style for body and I added that too. Nice background color... not hard on the eyes like some background images I've seen. Unfortunately, it does render the copyright at the bottom a bit difficult to read. Perhaps the menu and/or the copyright should be isolated with a specific background style so that when other people override the BODY's background with "hard on the eyes" images or colors, they will remain legible. Just a thought. Link to comment
+Doc-Dean Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Jeremy: quote:Originally posted by Doc-Dean:Dilbert humor... Psst. You spelled Groundspeak wrong. Jeremy Irish Groundspeak - The Language of Location Heh!! Good catch! Glad to see you can take a joke! --------------------------------------------------- Free your mind and the rest will follow Link to comment
+Prime Suspect Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Jeremy:Most of the formatting tags have now been reintroduced to the site, including the <br clear="all">, underline, strikeout, big, small, etc. Let us know if we missed anything formatting-wise. The "align=" parameter on the <img> tag needs to be implemented. "Don't mess with a geocacher. We know all the best places to hide a body." Link to comment
Jeremy Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Prime Suspect: The "align=" parameter on the <img> tag needs to be implemented. I just had left and right, but just added: absbottom absmiddle baseline bottom left middle cright texttop top Jeremy Irish Groundspeak - The Language of Location Link to comment
+Doc-Dean Posted October 10, 2003 Share Posted October 10, 2003 The "BGPROPERTIES=FIXED" parameter on the <BODY BACKGROUND> tag needs to be added. Thanks! --------------------------------------------------- Free your mind and the rest will follow Link to comment
+DeadReckoner Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Jeremy: quote:Originally posted by Prime Suspect: The "align=" parameter on the <img> tag needs to be implemented. I just had left and right, but just added: absbottom absmiddle baseline bottom left middle cright texttop top Jeremy Irish Groundspeak - The Language of Location Hmmm. If you take a look at my Edendale in the Golden Age of Silent Film cache, it contains a number of quote:<img align="right"> tags where the align=right part is being stripped out. This is true of the very first img in the first paragraph, for example. Am I correct in understanding that this "sanitization" of the HTML is occurring "on the fly", and that my original HTML source as was submitted has not been monged? In other words, as you get the bugs sorted out here, the display will just sort itself out and I needn't edit my cache page to re-submit my HTML? Are the details of what is/isn't going to be accepted published anywhere? That would be helpful. Thanks, Tom Chatt (DeadReckoner) Link to comment
+Doc-Dean Posted October 10, 2003 Share Posted October 10, 2003 2 more: In <img> tag, need to add "BOARDER=" Also can you add <MARQUEE> --------------------------------------------------- Free your mind and the rest will follow Link to comment
Jeremy Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Doc-Dean:2 more: In <img> tag, need to add "BOARDER=" Also can you add <MARQUEE> You mean "border?" I have border=0 through border=3 I added marquee with much hesitation. Jeremy Irish Groundspeak - The Language of Location Link to comment
Jeremy Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Jeremy: absbottom absmiddle baseline bottom left middle cright texttop top OOps. I had cright instead of right. It works now. Jeremy Irish Groundspeak - The Language of Location Link to comment
Jeremy Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Doc-Dean:The "BGPROPERTIES=FIXED" parameter on the <BODY BACKGROUND> tag needs to be added. Ok. I added it. When folks make suggestions, please point to a cache so I can double-check it works. Jeremy Irish Groundspeak - The Language of Location Link to comment
+Doc-Dean Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Jeremy:You mean "border?" I have border=0 through border=3 I added marquee with much hesitation. Jeremy Irish Groundspeak - The Language of Location hmm... the part of my brain in charge of spelling seems to be off today... Thanks! Marquee is not bad as long as its not used in an obnoxious way. --------------------------------------------------- Free your mind and the rest will follow Link to comment
+Doc-Dean Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Jeremy:OOps. I had cright instead of right. It works now. BTW watch out its catching! --------------------------------------------------- Free your mind and the rest will follow Link to comment
+Edenite Posted October 10, 2003 Share Posted October 10, 2003 Where is the list of tags we are allowed to use posted? Link to comment
+Doc-Dean Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Jeremy:Ok. I added it. When folks make suggestions, please point to a cache so I can double-check it works. That's hard to do when its been stripped out already. I added it back in and you can check it here --------------------------------------------------- Free your mind and the rest will follow Link to comment
+Doc-Dean Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Jeremy:OOps. I had cright instead of right. It works now. BTW Watch out its catching! --------------------------------------------------- Free your mind and the rest will follow Link to comment
MOCKBA Posted October 10, 2003 Share Posted October 10, 2003 since we are in a tag-listing phase now ... what about <U> and <FONT SIZE...> and are there any tech solutions for the 2nd level hints which used to rely on ONCLICK? Link to comment
+DeadReckoner Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by Doc-Dean: quote:Originally posted by Jeremy:Ok. I added it. When folks make suggestions, please point to a cache so I can double-check it works. That's hard to do when its been stripped out already. I added it back in and you can check it http://www.geocaching.com/seek/cache_details.aspx?guid=c816d049-7811-4289-b988-3ff064236eef I don't understand what people are talking about with their cache HTML having been stripped out. My experience was that the cache description HTML as stored in the database was never altered. Any "stripping" was happening at the time that the displayed HTML was getting generated. The upshot being that if you have harmless HTML that was being filtered, and Jeremy then adds those tags to the "allowed" list, you don't have to "add it back in" to your cache description. It's still there from before. At least that's how it was for me. Jeremy re-enabled img align=right, and now my cache displays properly again. I didn't change anything when it got broken, and I didn't change anything when it got fixed. Tom Chatt (DeadReckoner) Link to comment
Jeremy Posted October 10, 2003 Share Posted October 10, 2003 quote:Originally posted by The Edenites:_Where is the list of tags we are allowed to use posted?_ Most, if not all of standard HTML should be allowed now. My suggestion (which I believe is on the report a cache page) is to write your cache page off-site before posting it. This is beneficial for two reasons: First you save a copy (which you should _always_ do) and second so you don't get logged out when reporting the cache. No JavaScript is allowed, and no embedded items. I'll work on a more detailed list for the page so you can see it. Jeremy Irish Groundspeak - The Language of Location Link to comment
+Edenite Posted October 10, 2003 Share Posted October 10, 2003 quote:I don't understand what people are talking about with their cache HTML having been stripped out. My experience was that the cache description HTML as stored in the database was never altered. Any "stripping" was happening at the time that the displayed HTML was getting generated. The upshot being that if you have harmless HTML that was being filtered, and Jeremy then adds those tags to the "allowed" list, you don't have to "add it back in" to your cache description. It's still there from before. At least that's how it was for me. Jeremy re-enabled img align=right, and now my cache displays properly again. I didn't change anything when it got broken, and I didn't change anything when it got fixed. Tom Chatt (DeadReckoner) Well in my case, the page seemed to be missing MANY very necessary tags causing it to go completely haywire. It seemed as if the code was actually "stripped out" because when I looked at the code in the "Long Description" box, the code was not what I had previously put in there. What I did was format the page off-line and copy the HTML code into the "Long Description" box. Then I hit "Edit Listing" When the page refreshed, I copied the HTML code into Microsoft Word and compared the two. Then I realized exactly what tags were "stripped" With Jeremy's re-enabled some of the tags and with my own editing, the page is perfect again. The only real edit I had to make was to replace my font style tags to accrual font tags. Now if the style features were re-enabled, my original code would still be fine. Link to comment
Jeremy Posted October 10, 2003 Share Posted October 10, 2003 Let me know if there are any more missing tags. Thanks! Jeremy Irish Groundspeak - The Language of Location Link to comment
+Team GeoDillo Posted October 10, 2003 Share Posted October 10, 2003 quote: Originally posted by Jeremy: With regard to the <embed> tag, you can embed just about anything into a page that is supported by the browser. As a result any future security issues known and unknown could happen to an unsuspecting visitor on the site. Sorry but I'm still confused. Does this mean we can still use Flash (.swf) files? Scott of Team GeoDillo Link to comment
Woffi Posted October 11, 2003 Share Posted October 11, 2003 quote:Originally posted by Jeremy:Some scripting will not be allowed. Sorry. Can you be somewhat more specific what will be allowed and what not. It is extremely cumbersome to rectify things when you don´t know what works and what not. Wolfgang Link to comment
outforthehunt Posted October 11, 2003 Share Posted October 11, 2003 HTML doesn't seem to work in the Additional Hints section of the cache page? Link to comment
+DustyJacket Posted October 11, 2003 Share Posted October 11, 2003 It seems that my <font color="darkgreen"> is missing, but that is a good thing, as it tends to make WATCHER hiccup. I guess I should have not been lazy, and used the Hex Code for that non-standard color. Maybe TPTB could come up with a couple of easy to use forms or sample HTML for some people to use to make a less-plain cache page. Then all the HTML would be right.......I hope. DustyJacket Not all those that wander are lost. But in my case... Link to comment
+DeadReckoner Posted October 11, 2003 Share Posted October 11, 2003 DustyJacket reports trouble with <font color="darkgreen">, and I know I had trouble with <img align="right"> (though it's been fixed now). It makes me wonder why TPTB think it's important to restrict the *values* of attributes. It seems that an *attribute* (such as "color" or "align") is either benign or it isn't. If it is benign, what does it matter what the value is? The approach of restricting to a known "safe" list of HTML (as opposed to filtering known "dangerous" HTML) is the right thing to do from a security standpoint, as has already been pointed out here. But carrying it any further than is necessary for the security reasons is just to invite these sorts of problems. In this case of filtering the *values* of benign attributes, I think it is going further than necessary. Tom Chatt (DeadReckoner) Link to comment
+Daphne of Mysteries Inc Posted October 11, 2003 Share Posted October 11, 2003 I am new at HTML, but what I had written was working before. Cox woods This is a drop down box, Are we not allowed to use them any more? Also the HTML in the Additional hints does not work. <SELECT size=name="URL" onChange="if(options[selectedIndex].value) window.location.href= (options[selectedIndex].value)" style="font-family: Comic Sans MS, Sans Serif; color: white; background-color: green; font-size: 1em"> <OPTION value=>Mysteries Inc. caches</OPTION> <OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=69565">Rothrocks Mill </OPTION> <OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=77615">Lick Creek </OPTION> <OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=77606">Valeene </OPTION> <OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=77816">Twin Caves </OPTION> <OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=79667">Cox Woods </OPTION> <OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=83128">Battle of Corydon </OPTION> <OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=88498">Kewl Tree </OPTION><OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=92218">Kelp me find the cache! </OPTION><OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=93327">Peace and Quiet </OPTION> <OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=93324">Get your daily dose of Iron </OPTION><OPTION value="http://www.geocaching.com/seek/cache_details.aspx?ID=93500">Millennium project </OPTION></SELECT> ~Shaggy~ "Their poverty, combined with their naivete and limited knowledge of the world, left them no choice but to put cheap, uninteresting stuff in their time capsule." -- from an article in the ONION, 14 Oct. 1999 Link to comment
Jomarac5 Posted October 11, 2003 Share Posted October 11, 2003 It appears that the following are not being accepted: Both align=left and align=right in the img tag. Border=0 in the img tag. See here for an example. ***** You need a good command of the language to be a moderator. Link to comment
+Lamneth Posted October 12, 2003 Share Posted October 12, 2003 quote:Originally posted by Jomarac5:It appears that the following are not being accepted: Both _align=left_ and _align=right_ in the img tag. _Border=0_ in the img tag. This is what I learned while cleaning up my cache pages: If align or border come before src then the contents of the img tag are deleted. If align or border come after src then it works ok. But, hspace & vspace don't work in either case, and alt can't have a ! in it's value. Link to comment
+Dave_W6DPS Posted October 12, 2003 Share Posted October 12, 2003 Jeremy, I am a bit confused. No tags were "stripped" from my cache pages, but a link, using an image, to our local geocaching site no longer displays. The HTML for the link is still on each cache page when you go to the edit page, but it does not show up on the cache page. I believe I was already following all the formatting you suggest. Does this mean that i shouldn't use an image in a link, or just not an image that is on another site? I could easily change the link to text, but was wondering if an image was okay or not. I have supplied links to my three most recent caches. All the geocaching info is working fine, but I like to link to our local info site. Morgan Trailhead Lakepoint Park V2.0 Dreadnaught Memorial Thanks, Dave_W6DPS Link to comment
Recommended Posts