Another SIYE bug?
0 views
Skip to first unread message
Phil Boswell
Jun 6, 2008, 9:50:10 AM6/6/08
to TheCrackedMuggle
I posted a review which can be found here (time-stamp 2008-06-06
08:41:37):
http://www.siye.co.uk/siye/reviews.php?sid=127904&chapid=20803
When I originally composed it, I included an emoticon which seems to
have bogged up the system: ">_<"
I didn't notice at first, but my review was initially rejected on the
grounds that it included a broken HTML tag. When I did notice it, I
realised that many characters were quoted with backslashes and
proceeded to do the same to my emoticon. I also noticed that there
were *visible* <br/> tags but thought nothing of it.
When it posted, the end of my review after that emoticon was lost, and
the emoticon itself was mutilated (">_)". The <br/> tags had been
augmented resulting in double-spaced paragraphs.
What's really strange is that on my "Alternate Stats" page the review
is being displayed with the backslashes in place (eg "\>_\")but they
are not visible on the above-linked page.
What gives? and is there any chance we could have a "preview" facility
for reviews to avoid being caught like this? Alternatvely, if there
*is* an error, the text presented for correction should be the
original text, not the half-converted HTML version which then gets
reconverted as above.
TIA HAND
--
Phil
...who is now curious as to whether this message will be transmitted
unscathed.
08:41:37):
http://www.siye.co.uk/siye/reviews.php?sid=127904&chapid=20803
When I originally composed it, I included an emoticon which seems to
have bogged up the system: ">_<"
I didn't notice at first, but my review was initially rejected on the
grounds that it included a broken HTML tag. When I did notice it, I
realised that many characters were quoted with backslashes and
proceeded to do the same to my emoticon. I also noticed that there
were *visible* <br/> tags but thought nothing of it.
When it posted, the end of my review after that emoticon was lost, and
the emoticon itself was mutilated (">_)". The <br/> tags had been
augmented resulting in double-spaced paragraphs.
What's really strange is that on my "Alternate Stats" page the review
is being displayed with the backslashes in place (eg "\>_\")but they
are not visible on the above-linked page.
What gives? and is there any chance we could have a "preview" facility
for reviews to avoid being caught like this? Alternatvely, if there
*is* an error, the text presented for correction should be the
original text, not the half-converted HTML version which then gets
reconverted as above.
TIA HAND
--
Phil
...who is now curious as to whether this message will be transmitted
unscathed.
melkior
Jun 6, 2008, 10:14:41 AM6/6/08
to TheCrackedMuggle
The review function on SIYE parses the text of the review and adds the
<br /> tags on it's own. Again, it also checks for broken tags.
Writing complicated emoticons is not really encouraged, and adding
preview to the reviews function would change the interaction
complexity unnecessarily, especially since this is the first complaint
of this type I have ever received.
The Alternate Stats doesn't show the same formatting as the reviews to
let the users see all of the elements.
There are thousands of 'smileys' and using the basic ones _can_ convey
your message easily. It's nothing personal, but I simply don't want to
write 250 lines of code just so that a couple more emoticons can be
used.
Dino
<br /> tags on it's own. Again, it also checks for broken tags.
Writing complicated emoticons is not really encouraged, and adding
preview to the reviews function would change the interaction
complexity unnecessarily, especially since this is the first complaint
of this type I have ever received.
The Alternate Stats doesn't show the same formatting as the reviews to
let the users see all of the elements.
There are thousands of 'smileys' and using the basic ones _can_ convey
your message easily. It's nothing personal, but I simply don't want to
write 250 lines of code just so that a couple more emoticons can be
used.
Dino
omega13a
Jun 7, 2008, 6:04:42 PM6/7/08
to TheCrackedMuggle
I don't blame you. There's more important things to do in life then to
make complex emoticons work. Keep it simple though I have a tendency
not to do anything small so I think I'll shut up...
omega13a
make complex emoticons work. Keep it simple though I have a tendency
not to do anything small so I think I'll shut up...
omega13a
Pfeilspitze "Mercredi" Armbrust
Jun 7, 2008, 8:09:23 PM6/7/08
to thecrack...@googlegroups.com
On Sat, Jun 7, 2008 at 18:04, omega13a <omeg...@fedtrek.com> wrote:
>
> I don't blame you. There's more important things to do in life then to
> make complex emoticons work. Keep it simple though I have a tendency
> not to do anything small so I think I'll shut up...
>
>
> I don't blame you. There's more important things to do in life then to
> make complex emoticons work. Keep it simple though I have a tendency
> not to do anything small so I think I'll shut up...
>
It could still be worth looking at, though.
It might not need to be fixed, but if it indicates a bug in the parser
or translator, it's a possible place for an SQL injection attack or
similar.
But that said, it sounds like an over-escaping problem, so it's probably safe.
omega13a
Jun 7, 2008, 8:20:23 PM6/7/08
to TheCrackedMuggle
Don't say things like that! There was a bug in the word highlight
feature of phpBB that allowed people to inject code into the script to
be executed. About a month after the bug became public knowledge, some
moron wrote a worm that took advantage of that bug and within a couple
days, I was averaging 2,000 hack attempts from that worm a night for
like two months. None were successful due to my paranoia about
security (Constant vigilance I say!). I might want to add that my
paranoia about security drives all but one of my friends nuts.
On Jun 7, 5:09 pm, "Pfeilspitze \"Mercredi\" Armbrust"
<pfeilspi...@gmail.com> wrote:
feature of phpBB that allowed people to inject code into the script to
be executed. About a month after the bug became public knowledge, some
moron wrote a worm that took advantage of that bug and within a couple
days, I was averaging 2,000 hack attempts from that worm a night for
like two months. None were successful due to my paranoia about
security (Constant vigilance I say!). I might want to add that my
paranoia about security drives all but one of my friends nuts.
On Jun 7, 5:09 pm, "Pfeilspitze \"Mercredi\" Armbrust"
<pfeilspi...@gmail.com> wrote:
Pfeilspitze "Mercredi" Armbrust
Jun 7, 2008, 8:30:41 PM6/7/08
to thecrack...@googlegroups.com
On Sat, Jun 7, 2008 at 20:20, omega13a <omeg...@fedtrek.com> wrote:
>
> Don't say things like that! There was a bug in the word highlight
> feature of phpBB that allowed people to inject code into the script to
> be executed. About a month after the bug became public knowledge, some
> moron wrote a worm that took advantage of that bug and within a couple
> days, I was averaging 2,000 hack attempts from that worm a night for
> like two months. None were successful due to my paranoia about
> security (Constant vigilance I say!). I might want to add that my
> paranoia about security drives all but one of my friends nuts.
>
>
> Don't say things like that! There was a bug in the word highlight
> feature of phpBB that allowed people to inject code into the script to
> be executed. About a month after the bug became public knowledge, some
> moron wrote a worm that took advantage of that bug and within a couple
> days, I was averaging 2,000 hack attempts from that worm a night for
> like two months. None were successful due to my paranoia about
> security (Constant vigilance I say!). I might want to add that my
> paranoia about security drives all but one of my friends nuts.
>
All the more reason to use a real statically-strongly-typed language
for web stuff, so that the compiler can prevent unsanitized from
leaking through.
melkior
Jun 8, 2008, 5:59:21 AM6/8/08
to TheCrackedMuggle
Actually, when the review function forbids stray > < characters, even
in the form of a emoticon, I consider that a good thing.
And I know how it works. I'm quite happy with the way it works.
Dino
On Jun 8, 2:30 am, "Pfeilspitze \"Mercredi\" Armbrust"
<pfeilspi...@gmail.com> wrote:
in the form of a emoticon, I consider that a good thing.
And I know how it works. I'm quite happy with the way it works.
Dino
On Jun 8, 2:30 am, "Pfeilspitze \"Mercredi\" Armbrust"
<pfeilspi...@gmail.com> wrote:
Reply all
Reply to author
Forward
0 new messages