cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefano Mazzocchi <stef...@apache.org>
Subject Re: OT: browser fun...(was: VOTE RESULTS...)
Date Wed, 07 May 2003 15:23:12 GMT
on 5/7/03 10:00 AM Vadim Gritsenko wrote:

> Sylvain Wallez wrote:
> 
> 
>>Bertrand Delacretaz wrote:
>>
>>
>>>Le Mercredi, 7 mai 2003, à 16:18 Europe/Zurich, Sylvain Wallez a écrit :
>>>
>>>
>>>>Totally OT, but about windows. Have you seen 
>>>>http://www.secunia.com/advisories/8642/ ? You even don't need an 
>>>>infinite loop to crash windows : just click on the file (without 
>>>>even opening it) and Boom ! Funny, eh ?
>>>
>>>
>>>
>>>Did you test it? 
>>
>>
>>
>>Yep ! It works as expected ;-)
> 
> 
> 
> Ditto. One of masterpieces - it is short and it works as expected.
> 
> 
> 
>>>I have put a live version of it at http://codeconsult.ch/bertrand/ 
>>>but I don't have the "right" software to test it ;-) 
>>
>>
>>
>>Your live version doesn't work, I guess because it's embedded in the 
>>page. These 3 tags have to be alone in the file. 
> 
> 
> 
> No, that's not correct. Limitation on the usage of current version of 
> this software is the following: form tag must not be included into body 
> tag but directly into html tag.
> :)

While we are OT, did you know that

 <i <i script="...">>

was treated as working HTMLT by IE before being patched? this was used
for some clever cross-site-scripting exploits thru posting user
comments. (for example, the comment changes the URL of the "buy it from
here" link to your own site and the user submits his credit card number
directly to *you*!)

Most sites use regexps to clear tags in user comments and the above
passed thru because nobody ever thought about such a stupid markup.

Now, I think those guys in Redmond need more sunshine and less jolt for
&deity; sake, how can you come up with such a bad parser? Ah, I think I
know: one day a manager forgets to close its tag and he wants the parser
to fix that mistake for him so that

 <i blah</i>

is treated as good markup anyway. And the poor programmer has to do
*millions* of lines of code to catch all possible issues and forgets
one. One that kills everything else.

Gotta love manager-oriented programming. ;-)

-- 
Stefano.



Mime
View raw message