SOUR citation include URL as HTML code

Help
macalter
2009-01-09
2013-05-30
1 2 > >> (Page 1 of 2)
  • macalter
    macalter
    2009-01-09

    Within text of my SOUR citation, I'd like to include words that actually are a hotlink to a website. But, without the ugly URL, rather <a href="yourdomain.com" target="_blank>YOUR DOMAIN</a> so that YOUR DOMAIN words can be clicked (and open in new window).

    Am I dreaming that this would be a possibility (not 4.1.5, I know the drill....)? 

     
    • Stew Stronski
      Stew Stronski
      2009-01-09

      Not possible. The gedcom spec doesn't support html because it isn't really designed as a web format. So any html you put in is going to be encoded as %XX. It's also something of a security risk to allow html in notes or sources without a very good sanitizing routine.

       
    • kiwi_pgv
      kiwi_pgv
      2009-01-09

      Ster'w right I'm afraid Mac. In the past it has been possible, but the security risk just isn't worth it.

       
    • Warren Meads
      Warren Meads
      2009-01-09

      If you are prepared for the security risk it is possible to have this in the Source record it self.

      If you set up a source and put the link in the title as follows this will work

      1 TITL <a href="http://your_website.com" target="_blank">A link to the website</a>

       
      • Greg Roach
        Greg Roach
        2009-01-09

        You shouldn't have told me that.  I'll have to put a stop that behaviour.

        Users should not be allowed to enter HTML.

        One person's "convenience" is everyone else's security vulnerability.

         
      • Wes Groleau
        Wes Groleau
        2009-01-09

        I used to take advantage of that, but it had an unfortunate side-effect: You can't get to the PGV source.php?sid= page by clicking the title.  So I changed mine to have a text title and
        2 NOTE Online at http:......

        I'm puzzled by some details, though.  If PGV code makes a URI linkable, isnt the same security risk there?  I mean if I somehow have access to insert

        1 TITL <a href="something bad">something good</a>

        and PGV sanitizes it, then what stops me from changing it to

        1 TITL something bad

        which PGV changes to

        1 TITL <a href="something bad">something bad</a>

        It's a LITTLE more secure, but people will still click on it.

        And if a bad guy is changing my records, haven't I already lost the security battle?

         
        • Greg Roach
          Greg Roach
          2009-01-09

          We only convert things that look like URLs.  Therefore there can't be any hidden script.

          Suppose a user entered

          <a href="http://www.ancestry.com">Ancestry</a><script type="text/javascript">evil();</script>

          If we just passed this to the browser, you'd get your pretty link - plus a nasty hidden payload.

          <<And if a bad guy is changing my records, haven't I already lost the security battle? >>

          Suppose a new user registers, claiming to be your fourth cousin, offering to add/update/correct some info in your tree, would you approve their account?  Most people would.  After all, you still need to approve his changes, right???

          But, just the very act of viewing his change (even if you reject it) will trigger the javascript, which is enough for him to gain an admin account on your server, and from there the ability to upload his own malware onto it.  Gave over.

          You should not allow non-admin users to write their own HTML on your server.

           
          • Wes Groleau
            Wes Groleau
            2009-01-12

            Explanation understood.  Concur with "putting a stop to that behaviour."  :-)

             
      • macalter
        macalter
        2009-01-10

        I revised things. Think what happened is when a SOUR is ADDED, you don't get the WWW field until you edit the SOUR. I forgot and therefore tried to add with the text. Didn't occur to me of security but now that you say it's so, will refrain from future endeavours. Thanks.

        Can I assume using the WWW tag within the SOUR is okay? Or, is there a preferred way to enter a URL? I can't skip it in this instance as it takes you to the page that not only shows the source in entirety but acknowledges personal use is permitted.

         
        • Stew Stronski
          Stew Stronski
          2009-01-10

          Depending on the source I usually add the url in the Text field of the source and let PGV make it clickable. Or occasionally I put it in the Citation field.

          Either way gives you a clickable link direct to the page you specified. No fuss, no muss.

           
    • At the moment, in 4.1.6, URLs in notes are turned into links by expand_urls(). Is this feature gone for 4.2, or am I misunderstanding this? And if it's OK to expand a URL in a note, why not in a source?

       
    • Greg Roach
      Greg Roach
      2009-01-09

      <<At the moment, in 4.1.6, URLs in notes are turned into links by expand_urls()>>

      This is unchanged.

      <<I misunderstanding this?>>

      Possibly.  It is the difference between the user entering a URL (which PGV will convert to a link) and the user entering HTML.

      Thus, the user can enter

      1 NOTE Details found in http://www.ancestry.com

      But they shouldn't be allowed to enter

      1 NOTE Details found in <a href="http://www.ancestry.com">Ancestry</a>

      If we allow the latter, we open up a number of security vulnerabilities.

       
    • Greg Roach
      Greg Roach
      2009-01-09

      Oh, and this should now be blocked in SVN (sorry Warren!)

      If you find anywhere else that allows a user to enter HTML, please post a bug report for it.

       
    • >Possibly. It is the difference between the user entering a URL (which PGV will convert to a link) and the user entering HTML.

      OK, on re-reading the O.P. I see the difference. Still, two observations:

      1) the target="_blank" bit caught my eye. The expand_urls() function seems to have this but the resultant URLs don't. Would be nice.

      2) URLs in sources (publication field) aren't expanded while URLs in notes are.

       
      • Greg Roach
        Greg Roach
        2009-01-09

        <<2) URLs in sources (publication field) aren't expanded while URLs in notes are.  >>

        Raise a feature request for this....

         
        • > Raise a feature request for this.... 

          Done. What about the first part? Are the URLs supposed to be _blank?

           
          • macalter
            macalter
            2009-01-10

            Anton:  correct syntax would be <http://yourdomain.com" target="_blank"> which forces a new window to open with the URL, rather than using the existing window.

            All said in done, I vote for security over the URL! Browsers/email are more intelligent today so even skipping the http:// can still create a valid URL. So, how crippled should a URL be to not create a hyperlink? It's easy to say "see Ancestry.com" but many URLs are written with complex addresses.

             
            • OK, on the _blank question it turns out I was just having a browser issue. FF is reusing windows even when the _blank is specified, but in IE I get the expected behavior.

              Still wish the URLs in 1 SOUR records were expanded...

              As for the question of having clickable URLs at all, seems to me that PGV's approach is good. If PGV can only write basic URLs (with the _blank target, nothing more complicated than that) it seems reasonably safe. If the website in the URL has some nasty payload, that's beyond what PGV can influence but safe surfing is up to the user.

              If I have a URL in a record, I want it to be clickable. If I didn't want it to be clickable, I wouldn't write it out. If browsers make links out of shortened versions, well, theoretically a browser could see that it was on a genealogy website and make a link out of every occurrence of the words ancestry or genealogy. I don't see a need to fight that; if a browser is making bad decisions it will fall out of use.

               
              • Wes Groleau
                Wes Groleau
                2009-01-13

                "theoretically a browser could see that it was on a genealogy website and make a link out of every occurrence of the words ancestry or genealogy"

                And what would it link to?

                I'd personally prefer that "www.ancestry.com" not be gratuitously turned into a link, but I understand.

                And if "ancestry" in the URI field is gets www and .com added, I can understand that, too.

                But for a browser to make wild guesses out of normal words in normal text, that's completely absurd.

                 
                • I'm not advocating any kind of browser 'intelligence'. That's who I avoid IE now. :)

                  I'm just saying that I think PGV's existing URL treatment is a fine compromise between security and functionality, and that whatever a browser or browser extension does (same way an email client might) is not a concern.

                   
                • I'm not advocating any kind of browser 'intelligence'. That's why I avoid IE now. :)

                  I'm just saying that I think PGV's existing URL treatment is a fine compromise between security and functionality, and that whatever a browser or browser extension does (same way an email client might) is not a concern.

                   
                  • Wes Groleau
                    Wes Groleau
                    2009-01-14

                    How about "forum intelligence" ?

                    I did NOT put the http in my post.  I only put the domain name, intending to discuss how some browsers will automatically try "www" and "http" if something looks like a domain name.

                    It never occurred to me that this #$^%& forum would make it clickable AND add those for the viewer!

                     
    • Greg Roach
      Greg Roach
      2009-01-12

      <<Still wish the URLs in 1 SOUR records were expanded... >>

      I think they are.  e.g.

      1 SOUR @S123@
      2 PAGE This is expanded: http://www.example.com/page.html
      3 DATA
      4 TEXT This too: http://www.example.com/page.html

       
    • Hmm, doesn't happen for me. See if you can see this:

      http://www.largiader.com/family/source.php?sid=S1

       
      • Greg Roach
        Greg Roach
        2009-01-13

        Why not use

        1 WWW url

        instead of

        1 PUBL url

         
1 2 > >> (Page 1 of 2)