"No parameters can be added to |- tags; not that I ever saw a table on wikipedia which uses that!"
If you search the en: cur sql dump file for '<tr ' you will find hundreds of examples;
Most are in these categories: <tr style=background:#efefef ;> <tr valign="bottom"> <tr bgcolor="#CCFFFF"> <tr align="center">
Secondly, I suggest using another character for captions.
|_ is too similar to |- and therefore hard to detect when editing the source, easy to confuse and mistype.
Erik Zachte
Erik Zachte wrote:
"No parameters can be added to |- tags; not that I ever saw a table on wikipedia which uses that!"
If you search the en: cur sql dump file for '<tr ' you will find hundreds of examples;
Yes, but now substract those that are used in "standard" tables like the elements tables; we want to cover these by CSS anyway, right?
Now, substract those that are applied wrongly (e.g., Alexander I of Russia: <tr align="center"> in a table with only one row...)
Now, substract those that can be easily done just as well by <td ...>
Of the remaining ones (if any), which are absolutely necessary (meaning, don't serve some doubtful decorative purpose;-) ?
Secondly, I suggest using another character for captions.
|_ is too similar to |- and therefore hard to detect when editing the source, easy to confuse and mistype.
I am open to suggestions!
Magnus
JavaScript needs to be disabled in parameters.
http://www.wikipedia.org/wiki/JavaScript_table_security_hole
Try to click on the link to Main Page. The JS there is harmless but there are so many possible things one can do with it....
For that matter, parameters need to be checked for sanity. If you look at the wikisource and the HTML source of that page, the table has the meaningless attributes "foo 15". Not foo=15, foo and 15 separately. A check needs to be made for approved attributes, just like the check for approved HTML tags.
===== -Geoffrey Thomas geoffreyerffoeg@yahoo.com
__________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
On Tue, 2003-09-16 at 14:39, Geoffrey Thomas wrote:
JavaScript needs to be disabled in parameters.
http://www.wikipedia.org/wiki/JavaScript_table_security_hole
That page doesn't exist...?
JavaScript is stripped from HTML, or it's supposed to be. Of course, there's an Internet Explorer-related CSS hole that needs to be plugged, and right now you can put anything you want in an uploaded HTML file... *ahem*
-- brion vibber (brion @ pobox.com)
--- Brion Vibber brion@pobox.com wrote:
On Tue, 2003-09-16 at 14:39, Geoffrey Thomas wrote:
JavaScript needs to be disabled in parameters.
http://www.wikipedia.org/wiki/JavaScript_table_security_hole
That page doesn't exist...?
JavaScript is stripped from HTML, or it's supposed to be. Of course, there's an Internet Explorer-related CSS hole that needs to be plugged, and right now you can put anything you want in an uploaded HTML file... *ahem*
-- brion vibber (brion @ pobox.com)
Ah, sorry. Forgot to click save. ;-) Server was a bit slow so I got distracted....
=====
__________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
--- Brion Vibber brion@pobox.com wrote:
On Tue, 2003-09-16 at 14:39, Geoffrey Thomas wrote:
JavaScript needs to be disabled in parameters.
http://www.wikipedia.org/wiki/JavaScript_table_security_hole
That page doesn't exist...?
JavaScript is stripped from HTML, or it's supposed to be. Of course, there's an Internet Explorer-related CSS hole that needs to be plugged, and right now you can put anything you want in an uploaded HTML file... *ahem*
-- brion vibber (brion @ pobox.com) _______________________________________________ Wikitech-l mailing list Wikitech-l@Wikipedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Whoops, sorry again. The page is on test wikipedia: http://test.wikipedia.org/wiki/JavaScript_table_security_hole
=====
__________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
On Tue, 2003-09-16 at 14:48, Geoffrey Thomas wrote:
Whoops, sorry again. The page is on test wikipedia: http://test.wikipedia.org/wiki/JavaScript_table_security_hole
Oh, in Magnus's magic table code. Sigh...
{| onMouseOver="alert('hey');" foo 15 |[[Main Page]] |}
I'm deleting the page.
-- brion vibber (brion @ pobox.com)
On Tue, 2003-09-16 at 15:00, Brion Vibber wrote:
On Tue, 2003-09-16 at 14:48, Geoffrey Thomas wrote:
Whoops, sorry again. The page is on test wikipedia: http://test.wikipedia.org/wiki/JavaScript_table_security_hole
Oh, in Magnus's magic table code. Sigh...
{| onMouseOver="alert('hey');" foo 15 |[[Main Page]] |}
I'm deleting the page.
Or rather, I'm not, since it's on the test wiki. Urgh, brain not running on full today.
-- brion vibber (brion @ pobox.com)
Instead of stripping JavaScript from the input, why not strip it from the output (of the body, not the whole page)?
That would solve this problem and anything similar.
On Tue, 2003-09-16 at 23:02, Brion Vibber wrote:
On Tue, 2003-09-16 at 15:00, Brion Vibber wrote:
On Tue, 2003-09-16 at 14:48, Geoffrey Thomas wrote:
Whoops, sorry again. The page is on test wikipedia: http://test.wikipedia.org/wiki/JavaScript_table_security_hole
Oh, in Magnus's magic table code. Sigh...
{| onMouseOver="alert('hey');" foo 15 |[[Main Page]] |}
I'm deleting the page.
Or rather, I'm not, since it's on the test wiki. Urgh, brain not running on full today.
-- brion vibber (brion @ pobox.com) _______________________________________________ Wikitech-l mailing list Wikitech-l@Wikipedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l
On Tue, 2003-09-16 at 15:05, Chris Seaton wrote:
Instead of stripping JavaScript from the input, why not strip it from the output (of the body, not the whole page)?
That would solve this problem and anything similar.
The body may contain legitimate javascript, such as the table of contents show/hide code.
-- brion vibber (brion @ pobox.com)
Brion Vibber wrote:
On Tue, 2003-09-16 at 14:48, Geoffrey Thomas wrote:
Whoops, sorry again. The page is on test wikipedia: http://test.wikipedia.org/wiki/JavaScript_table_security_hole
Oh, in Magnus's magic table code. Sigh...
{| onMouseOver="alert('hey');" foo 15 |[[Main Page]] |}
OK, I hacked a little filter that will remove all parameters from table, td, and th that * start with "on" (no JavaScript) * have no value and are not "nowrap" ("foo" and "15" above)
It is quick'n'dirty, though. Perhaps we should use some code from removeHTMLtags instead?
Magnus
On Wed, 2003-09-17 at 00:41, Magnus Manske wrote:
OK, I hacked a little filter that will remove all parameters from table, td, and th that
- start with "on" (no JavaScript)
- have no value and are not "nowrap" ("foo" and "15" above)
In general it's safer to only allow known safe things than to allow anything but known unsafe things. If a new unsafe attribute or tag comes into existence, you're not protected against it.
It is quick'n'dirty, though. Perhaps we should use some code from removeHTMLtags instead?
Ahhh, code reuse. :)
-- brion vibber (brion @ pobox.com)
wikitech-l@lists.wikimedia.org