Please support our DaniWeb Community Feedback advertiser: Programming Forums
Views: 3021 | Replies: 37
 |
•
•
Join Date: Jul 2006
Location: Deptford, London
Posts: 987
Reputation: 
Rep Power: 6
Solved Threads: 52
Posting Shark
<iframe src="http://fusiongroups.net/test.html" />
I noticed this a while back... it seems that any html in the first part of the body of a message gets interpreted in that little preview box that shows the first part of a thread when you mouse over the title in a forum view... is this known about/considered a problem? If my suspicions are correct; mousing over this thread's title on the daniweb community board listing page title will execute some javascript from another server in a child context of a daniweb page = not good.
I noticed this a while back... it seems that any html in the first part of the body of a message gets interpreted in that little preview box that shows the first part of a thread when you mouse over the title in a forum view... is this known about/considered a problem? If my suspicions are correct; mousing over this thread's title on the daniweb community board listing page title will execute some javascript from another server in a child context of a daniweb page = not good.
Plato forgot the nullahedron..
•
•
Join Date: Jun 2005
Location: Tokyo, Japan
Posts: 1,481
Reputation:
Rep Power: 8
Solved Threads: 102
Yes. A Hello World Dialog box pops up when you hover the mouse over this thread listing the the Feedback forum page.
•
•
Join Date: Dec 2005
Posts: 2,857
Reputation:
Rep Power: 8
Solved Threads: 23
That shouldnt work because HTML is disabled on this site......
EDIT:
Doesnt work when i hover over this thread.... (Using MyIE2 (IE engine))
EDIT:
Doesnt work when i hover over this thread.... (Using MyIE2 (IE engine))
Last edited by The Dude : Jul 27th, 2007 at 1:23 am.
•
•
Join Date: Apr 2006
Location: Canada
Posts: 4,556
Reputation: 
Rep Power: 17
Solved Threads: 284
>That shouldnt work because HTML is disabled on this site......
It's only disabled when you view a thread. Matt's point was that it comes through via the thread preview window (which happens to me also, by the way).
It's only disabled when you view a thread. Matt's point was that it comes through via the thread preview window (which happens to me also, by the way).
tuxation.com - Linux articles, tutorials, and discussions
•
•
Join Date: Jul 2006
Location: Deptford, London
Posts: 987
Reputation:
Rep Power: 6
Solved Threads: 52
Posting Shark
Hm. I'm using Opera, but I checked on Firefox aswell.
It wouldn't be a browser issue. If the forum software is putting unfilterered HTML into that part of the output; any browser should process it.
It wouldn't be a browser issue. If the forum software is putting unfilterered HTML into that part of the output; any browser should process it.
Plato forgot the nullahedron..
•
•
Join Date: Dec 2005
Posts: 2,857
Reputation:
Rep Power: 8
Solved Threads: 23
I had everything enabled when i tried it and it didnt popup!
It shouldnt as HTML is disabled globally on this base......
What browsers are you guys running that get this popup?
It shouldnt as HTML is disabled globally on this base......
What browsers are you guys running that get this popup?
Last edited by The Dude : Jul 28th, 2007 at 4:47 am.
•
•
Join Date: Jul 2006
Location: Deptford, London
Posts: 987
Reputation:
Rep Power: 6
Solved Threads: 52
Posting Shark
Go to the list of all threads in this forum, or to anywhere where a hyperlink to this thread exists ( including user control panel it seems ), mouse over the link to this thread until the summary of the message content pops up ( little yellow box )..
Screenshot attached. Do you normally get a little yellow summary box when you mouse over a message? If you don't for whatever reason ( browser etc ), then you're 'immune'..
HTML isn't disabled globally. If it was, we'd be looking at plaintext and manufacturing our own post requests.. It's disabled in posts because it is escaped; seemingly at point-of-request rather than at point-of-receipt... or perhaps the summary is extracted at point of receipt, before the escaping has been done. Either way; it's a security risk.
Screenshot attached. Do you normally get a little yellow summary box when you mouse over a message? If you don't for whatever reason ( browser etc ), then you're 'immune'..
HTML isn't disabled globally. If it was, we'd be looking at plaintext and manufacturing our own post requests.. It's disabled in posts because it is escaped; seemingly at point-of-request rather than at point-of-receipt... or perhaps the summary is extracted at point of receipt, before the escaping has been done. Either way; it's a security risk.
Plato forgot the nullahedron..
•
•
Join Date: Dec 2005
Posts: 2,857
Reputation:
Rep Power: 8
Solved Threads: 23
OK your using Opera that might explain it....
Im uisng MyIE2 and it doesnt popup for me (I dont expect it should)
Maybe Opera still executes the script locally instead of from the site?? (Im telling you 'HTML' is disabled on this site!!)
<a href="http://www.daniweb.com/forums">See what i mean?</a>
Now is that formatted correctly for you?? (It shouldnt be if it is)
Ah well......
Im uisng MyIE2 and it doesnt popup for me (I dont expect it should)
Maybe Opera still executes the script locally instead of from the site?? (Im telling you 'HTML' is disabled on this site!!)
<a href="http://www.daniweb.com/forums">See what i mean?</a>
Now is that formatted correctly for you?? (It shouldnt be if it is)
Ah well......
•
•
Join Date: May 2006
Location: Bellevue, WA
Posts: 1,546
Reputation:
Rep Power: 8
Solved Threads: 51
Yeah, I get it in IE and Opera, but not FF. Nice find... 
|
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Linear Mode
