Loading...

Profiles | Forum

Zach Black Owner
Zach Black Nov 22 '18
    I enabled HTML for users profiles. Basically now you  can trick out  your profile like myspace days. You can add music players, videos, pics and just about anything with html code. 


Check out mine for a example. 


If you know of any good sites for music players , html editors  ect please post it here


Share:
AK
AK Nov 24 '18
NOTE TO ALL USERS REGARDING CUSTOM HTML:


If you do not do this correctly, you will likely hose your entire profile irreparably. 


Be sure to close your tags properly and double check your work before clicking save. 

Dark Enlightenment
Dark Enlightenment Nov 24 '18
Well, at least people will know I am a fictional girl that can afford to live in a fictional ridiculously cheap $500,000 condo on fictional Sunset Blvd. And now I am motherfucking stuck with that god damn Bob Dylan song.  It really is the end... of my ability to customize my profile.

 And didn't even get to sync Race War with a clip of the LA riots (also on autoplay). :D


I should blame the Jews.

The Forum post is edited by Dark Enlightenment Nov 24 '18
AK
AK Nov 25 '18
Yeah. Here's the run-down. When you right-click and view source on your profile, you'll notice all the neat colors that helps dorks like myself "see" what's going on just sort of turn to black right after the <iframe=...> 

without any closing tag? 



everything in black after that (and it's a lot) the browser has no idea what to do with, so it just ignores it. *it's wanting the </Iframe> you cock-teased it into thinking it would get with your lengthy and technical opening and it's not there! You withheld it, you perverse monster.


The "geniuses" that developed Oxwall decided that "yeah embedding the very script tags that make a profile function - especially the ones that allow you to undo changes - go at the bottom(!!!) of the DOM rather than using includes won't possibly cause any issues whatsoever". 


You do not have to be a software engineer to see what a terrible idea this is. It ends up allowing people to accidentally REM-out the very code that allows them to undo having done so. 


I might run this further up the chain in the Oxwall developer forum, but___ I dunno, man, I don't work for Oxwall and it becomes a matter of "I could... but how much do I really care?" - should I have to teach "them" what goes wrong when they allow for stuff like this? No way.


Not my fucking job type status. 



It's the only way to stay sane.


The Forum post is edited by AK Nov 25 '18
Dark Enlightenment
Dark Enlightenment Nov 25 '18


* It was likely caused by the limitations of the Samsung Galaxy's native browser (not Chrome). There was no way move around the widgets in customization. You close the widget you need to reset the page to get it back on the profile. I chose to close out the page in haste leading my breaking of Oxwall again. 

The Forum post is edited by Dark Enlightenment Nov 25 '18
AK
AK Nov 27 '18
ok___ so an HTML document is basically like a sandwich. 

Starts with <HTML> and ends with </HTML> - and every "tag" between that are also like little mini-sandwiches (and often smaller mini-sandwiches inside of other mini-sandwiches all inside the master sandwich)


Like

<HTML>


<HEAD>

</HEAD>


<BODY>


<IFRAME>

</IFRAME>


</BODY>


</HTML>


that's what the browser "expects" - sandwiches inside of sandwiches. If you forget to put the bottom bun on one of the inner sandwiches the browser just keeps looking for it, because who knows? Maybe you decided to do some freaky expert-mode-type nesting. 


So it's looking for this </IFRAME> tag - it expects this by virtue of its opening tag being there. It also does what it can to render the contents that are specified in the opening tag, but, because it can't find the </IFRAME> tag, it basically just gives up on trying to parse anything else that comes after it. Why this closing tag is missing - I don't know. I'm not psychic. The point is that it is not there.


It "fails fast" 


"Fail fast" is actually an industry term that I think you might enjoy - which is why I'm mentioning it at all. It applies equally to IT systems as it does to real systems. 


The principle of "Fail fast" is basically: as soon as errors and issues arise, you abandon the operation ASAP - you don't bother to try to correct it, make best-guesses as to what would fix it, or cover-it-up in order to make the system "seem" stable for the user. You "halt". You go "no, this is not right". Cease further processing immediately. Optionally, you report that there is an issue. You do this to prevent that original error from propagating in such a way as to generate untraceable errors further on down the pipe. GIGO is one thing when it's just one in and one out. It has all sorts of crazy implications if the system feeds other Is with garbage Os and so-on. It's as solid a way to design a system as it is to live life, I think. Basically "that ain't right, so stop right there IMMEDIATELY"


The browser cannot match the opening <IFRAME> with a corresponding </IFRAME> tag, so it just stops processing everything below that opening.  


It's the safest bet. 


The down side to this is that what is below that are the JavaScript functions that allow you to open your IMs and such - also the JavaScript functions that allow me to change your role. You can see this if you right-click and select view-source. 


Fun fact - if you do the same thing on 600C in their video sharing blog - forget to close the IFrame, the next user that replies to your post will have their reply merged with your original OP. 


One can elicit all sorts of spooky cool behavior playing around with this sort of thing. If you fuck-up intelligently, you can potentially do all sorts of nasty things to a web-site. Allowing users to inject HTML and JavaScript into a site is hella risky - the only way to mitigate those risks is to assert that browsers stop parsing and fail fast as soon as things don't look right because there's really no way a computer can differentiate between malicious intent and an honest mistake. 


https://dzone.com/articles/fail-fast-principle-in-software-development


^I swear 90% of that article consists of actual rules to live by. It's like life advice, basically.

The Forum post is edited by AK Nov 27 '18
Zach Black Owner
Zach Black Nov 28 '18
WTF? What did I just read that I can not comprehend? I can disable the HTML thing if it is a security risk. One dude years back drop a java script bomb that locked up the site. Which is why you see if you are a admin a button up top by navigation to disable javascript. Or you did at one point. I am not having issues nor has anyone ever brought one to my attention yet.?
AK
AK Nov 28 '18
There is no easier way to explain this: The main issue is that if you're going to insert HTML into your profile, you need to close the tags properly, otherwise you will hose your profile irreparably.


Secondary issue: Disabling javascript tags will not prevent XSS attacks. Whenever you allow users to enter HTML into the site, you're taking a gamble.

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)


It can be fucked up unintentionally, or worse, intentionally.


The Forum post is edited by AK Nov 28 '18
Certain features and pages can only be viewed by registered users.

Join Now

Like and Share

Donate - PayPal

This site is largely funded by donations. You can show your support by donating. Thanks. Every dollar helps. You need not a PayPal to donate either just a debit or credit card.