Jump to content

HTML Filtering for Cache Descriptions


OpinioNate
Followers 6

Recommended Posts

On Tuesday the 17th of January a new HTML filter will be implemented on the site which strips certain tags, attributes and values from cache descriptions which we have found to be of particular concern for the security of Geocaching.com users. After examining all the active caches in the database we have identified around 400 cache owners who will be directly affected by the change. As a courtesy to those cache owners we have setup this forum thread so owners can collaborate and discuss workarounds for the upcoming change.

 

All users owning one or more caches containing soon-to-be-filtered code will receive the following email:

 

Subject: Important notice to cache owners from Geocaching.com

 

Greetings from Groundspeak,

 

Beginning next Tuesday, January 17th Geocaching.com will implement new HTML filtering rules for cache page descriptions. Although it is our sincere desire to allow cache owners as much creative freedom as possible, we find it increasingly necessary to restrict the use of JavaScript and other tags which may present security concerns for our users.

 

You are receiving this email because we have identified one or more geocaches owned by your account which may be affected by these new filtering rules implemented to enhance Geocaching.com user security. Please note that filtering on your caches will only be enforced if and when your cache is edited, and not automatically after the release on Tuesday. This means you have an opportunity now to make changes without worry of losing your code. Provided you do not edit your cache description after January 17th, it will remain in its current form and nothing will change.

 

If you do change your cache page after January 17th, the effect that filtering will have on your cache page(s) may vary depending on which code will be removed, and in some cases you may not be aware of any changes at all.

 

To see a list of tags and attributes which will be filtered, and to discuss workarounds with your fellow cache owners, please visit the forum:

 

http://forums.Groundspeak.com/GC/index.php?showtopic=288736

 

Protecting our users’ security and the integrity of Geocaching.com is our highest priority. We sincerely apologize for any unintended consequences as a result.

 

Happy Geocaching!

 

The Groundspeak Team

 

 

Affected Tags:

 

style

 

Affected Attibutes:

 

All events that invoke JavaScript

onclick

onmouseover

onmouseout

onmousedown

(see the complete list here: http://www.w3schools.com/jsref/dom_obj_event.asp)

 

Affected Values:

 

All hrefs that invoke Javascript.

e.g.: <a href=”javascript:alert(‘You clicked me.’)” > click me</a>

 

Beginning Tuesday you will find that cache creation and edit pages contain a new "whitelist" of code approved for use in cache descriptions to help cache owners understand what is allowed and what will be filtered.

 

Wt8Pi.png

 

As mentioned in the email above, it is important for us not to stifle the creativity of caches listed on the site, but we are equally concerned with protecting our users from malicious code inserted in cache descriptions. This puts us in a difficult position but we feel we have found a good balance between the two with these changes. Thanks for your understanding!

Link to comment

I believe I have a couple where I have the "click on" link that will send a cacher to another site, usually another cache page, to get information on how to solve a puzzle or complete a challenge cache.

 

That's just my guess.

 

Just a quick question: does this include the Geochecker.com link?

Edited by ao318
Link to comment

 

All users owning one or more caches containing soon-to-be-filtered code will receive the following email:

 

 

Dear Opinionate

 

A friend of mine has 107 cache listings and there is noticeable effort to identify the affected ones. Why didn't you include a list of caches in your e-mail to the owners?

 

regards,

kreizweh

Link to comment

On Tuesday the 17th of January a new HTML filter will be implemented on the site which strips certain tags, attributes and values from cache descriptions which we have found to be of particular concern for the security of Geocaching.com users. After examining all the active caches in the database we have identified around 400 cache owners who will be directly affected by the change. As a courtesy to those cache owners we have setup this forum thread so owners can collaborate and discuss workarounds for the upcoming change.

 

All users owning one or more caches containing soon-to-be-filtered code will receive the following email:

 

Subject: Important notice to cache owners from Geocaching.com

 

Greetings from Groundspeak,

 

Beginning next Tuesday, January 17th Geocaching.com will implement new HTML filtering rules for cache page descriptions. Although it is our sincere desire to allow cache owners as much creative freedom as possible, we find it increasingly necessary to restrict the use of JavaScript and other tags which may present security concerns for our users.

 

You are receiving this email because we have identified one or more geocaches owned by your account which may be affected by these new filtering rules implemented to enhance Geocaching.com user security. Please note that filtering on your caches will only be enforced if and when your cache is edited, and not automatically after the release on Tuesday. This means you have an opportunity now to make changes without worry of losing your code. Provided you do not edit your cache description after January 17th, it will remain in its current form and nothing will change.

 

If you do change your cache page after January 17th, the effect that filtering will have on your cache page(s) may vary depending on which code will be removed, and in some cases you may not be aware of any changes at all.

 

To see a list of tags and attributes which will be filtered, and to discuss workarounds with your fellow cache owners, please visit the forum:

 

http://forums.Groundspeak.com/GC/index.php?showtopic=288736

 

Protecting our users’ security and the integrity of Geocaching.com is our highest priority. We sincerely apologize for any unintended consequences as a result.

 

Happy Geocaching!

 

The Groundspeak Team

 

 

Affected Tags:

 

style

 

Affected Attibutes:

 

All events that invoke JavaScript

onclick

onmouseover

onmouseout

onmousedown

(see the complete list here: http://www.w3schools.com/jsref/dom_obj_event.asp)

 

Affected Values:

 

All hrefs that invoke Javascript.

e.g.: <a href=”javascript:alert(‘You clicked me.’)” > click me</a>

 

Beginning Tuesday you will find that cache creation and edit pages contain a new "whitelist" of code approved for use in cache descriptions to help cache owners understand what is allowed and what will be filtered.

 

Wt8Pi.png

 

As mentioned in the email above, it is important for us not to stifle the creativity of caches listed on the site, but we are equally concerned with protecting our users from malicious code inserted in cache descriptions. This puts us in a difficult position but we feel we have found a good balance between the two with these changes. Thanks for your understanding!

 

As of right now (and i dont think it ever was allowed) you CAN NOT use BGSOUND on a cache page.

Link to comment

 

Just a quick question: does this include the Geochecker.com link?

 

I'd be curious about this as well. I have links to PDF's and use geocheck.org.

Everyday run-of-the-mill links wouldn't be affected. Geochecker and Geocheck are simply links to the respective websites. If they were affected, there'd be a lot more than 400 owners affected.

Link to comment

I too am having trouble identifying which caches will be affected. I am sure of two but not sure if there are others. Can you give us a list of tags that WILL BE STRIPPED? Or even a partial list?

This would have been far more usable... find what'll be removed, and adjust, rather than scan everything to make sure it's in the whitelist... *shrug*

Link to comment

I used GSAK together with the DBTextSearchMacro to identify candidates to search cache descriptions by keywords:

 

style,onblur,onchange,onclick,ondblclick,onerror,onfocus,onkeydown,onkeypress,onkeyup,onload,onmousedown,

onmousemove,onmouseout,onmouseover,onmouseup,onresize,onselect,onunload,javascript

 

But I'm still not sure, if this method catches all possible affected listings.

Link to comment

Then so are all external references to other Web sites banned?

(Examples: GeoChecker, Wikipedia, references to other caches ...)

 

And that with only 400 owner ... around the world :unsure: ?

 

Can you send me a list of my caches that are affected?

 

Thank you very much

BKA

Edited by BKA
Link to comment

It seems like I'm not the only one confused. Why did Groundspeak just announce this Friday and implementing it on Tuesday...that doesn't give us enough time to figure out which cache pages are affected. I use the Mozilla Firefox "Xinga" HTML editor to do my cache pages when I'm using HTML. Is it all of it, or just certain links, etc? Geochecker? pictures? This is so confusing because I don't actually write the language, I use the HTML editor to write it.

 

I need some more help than "what is allowed"...has anyone found anyone speaking in layman's terms out there that can help us?

Link to comment

I am a complete "technical dyslectic". I know where to start my computer and by the time and with help from other users I found out how to upload a listing with a layout that may be judged to be a little bit more appealing than a pure text listing. For that reason, it somehow makes me proud now, being just one of 400 owners worldwide causing such a massive security concern :ph34r::ph34r::ph34r::P:P:P:D:D:D

 

How to understand this cryptic e-mail from Groundspeak :huh:

 

Seems that this is just another D5 mystery ? :mad: :mad: :mad:

 

I am not that "EDP Admin type of guy" and have no clue what to do know (reading the forum entries, it seems I am in good company). At least Groundspeak should have provided a hint on which caches are concerned.

 

Since there is no reliable and understandable information available, I will just wait until 17th now and see what happens.

 

If that causes that one or more of my caches will not be available anymore, then it is like this...Anyway I can not change it... :blink::blink::blink:

Link to comment

It seems like I'm not the only one confused. Why did Groundspeak just announce this Friday and implementing it on Tuesday...that doesn't give us enough time to figure out which cache pages are affected. I use the Mozilla Firefox "Xinga" HTML editor to do my cache pages when I'm using HTML. Is it all of it, or just certain links, etc? Geochecker? pictures? This is so confusing because I don't actually write the language, I use the HTML editor to write it.

 

I need some more help than "what is allowed"...has anyone found anyone speaking in layman's terms out there that can help us?

 

This pretty much sums up where I am at.

I will be glad to comply and edit my listings, but don't have the technical ability to determine which are the culprits. The HTML editor I use does the dirty work. I just type and click.

I need help with this.

Link to comment

On Tuesday the 17th of January a new HTML filter will be implemented on the site which strips certain tags, attributes and values from cache descriptions which we have found to be of particular concern for the security of Geocaching.com users. After examining all the active caches in the database we have identified around 400 cache owners who will be directly affected by the change. As a courtesy to those cache owners we have setup this forum thread so owners can collaborate and discuss workarounds for the upcoming change.

 

All users owning one or more caches containing soon-to-be-filtered code will receive the following email:

 

...

 

Hello,

 

<tag name="marquee">

- <attr name="align">

<val>top</val>

<val>middle</val>

<val>bottom</val>

</attr>

 

doesnt work, but its listed as valid HTML-Tag. The Tag was filtered out. Please correct it. I think there is no security problem with this TAG.

 

Best wishes Fantasy2004

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Followers 6
×
×
  • Create New...