Thread: [Cppcms-users] Why wikipp calls document.write() to generate simple <form> tag?
Brought to you by:
artyom-beilis
Menu
▾
▴
cppcms-users
|
From: CN <cn...@fa...> - 2016-01-25 09:25:08
|
Hello!
I noticed below part of file "page.tmpl" in wikipp long time ago.
<script type="text/javascript">
<!--
document.write('<for')
document.write('m actio')
document.write('n="')
document.write('<%= submit %>" me')
document.write('thod="po')
document.write('st">')
-->
</script>
I have no idea about the moral of such design, but I did not ask why. I
think I should not keep pretending understanding it any more! What is
funny is that trying to figure out why, I ended up running into an
article saying that document.write() doesn't work with Firefox when it
encounter xhtml :-)
Could anyone clarify for me:
Why the most simple and straightforward HTML code "<form>" is not used
instead?
Thank you in advance!
Best Regards,
CN
--
http://www.fastmail.com - The way an email service should be
|
|
From: mawan s. <ma...@gm...> - 2016-01-25 09:31:05
|
i think it is not debatable ..
just style of programming only ..
On Mon, Jan 25, 2016 at 4:25 PM, CN <cn...@fa...> wrote:
> Hello!
>
> I noticed below part of file "page.tmpl" in wikipp long time ago.
>
> <script type="text/javascript">
> <!--
> document.write('<for')
> document.write('m actio')
> document.write('n="')
> document.write('<%= submit %>" me')
> document.write('thod="po')
> document.write('st">')
> -->
> </script>
>
> I have no idea about the moral of such design, but I did not ask why. I
> think I should not keep pretending understanding it any more! What is
> funny is that trying to figure out why, I ended up running into an
> article saying that document.write() doesn't work with Firefox when it
> encounter xhtml :-)
>
> Could anyone clarify for me:
> Why the most simple and straightforward HTML code "<form>" is not used
> instead?
>
> Thank you in advance!
> Best Regards,
> CN
>
> --
> http://www.fastmail.com - The way an email service should be
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Cppcms-users mailing list
> Cpp...@li...
> https://lists.sourceforge.net/lists/listinfo/cppcms-users
>
|
|
From: CN <cn...@fa...> - 2016-01-25 09:43:08
|
Thanks for the prompt clarification!
I am not debating. As long as its design has nothing to do with attack
protection, I will leave it as is.
Best Regards, CN
On Mon, Jan 25, 2016, at 05:30 PM, mawan sugiyanto wrote:
> i think it is not debatable .. just style of programming only ..
>
>
>
> On Mon, Jan 25, 2016 at 4:25 PM, CN <cn...@fa...> wrote:
>> Hello!
>>
>>
I noticed below part of file "page.tmpl" in wikipp long time ago.
>>
>>
<script type="text/javascript">
>>
<!--
>>
document.write('<for')
>>
document.write('m actio')
>>
document.write('n="')
>>
document.write('<%= submit %>" me')
>>
document.write('thod="po')
>>
document.write('st">')
>>
-->
>>
</script>
>>
>>
I have no idea about the moral of such design, but I did not ask why. I
>>
think I should not keep pretending understanding it any more! What is
>>
funny is that trying to figure out why, I ended up running into an
>>
article saying that document.write() doesn't work with Firefox when it
>>
encounter xhtml :-)
>>
>>
Could anyone clarify for me:
>>
Why the most simple and straightforward HTML code "<form>" is not used
>>
instead?
>>
>>
Thank you in advance!
>>
Best Regards,
>>
CN
>>
>>
--
>> http://www.fastmail.com - The way an email service should be
>>
>>
>>
------------------------------------------------------------------------------
>>
Site24x7 APM Insight: Get Deep Visibility into Application Performance
>>
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>>
Monitor end-to-end web transactions and take corrective actions now
>>
Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>>
_______________________________________________
>>
Cppcms-users mailing list
>> Cpp...@li...
>> https://lists.sourceforge.net/lists/listinfo/cppcms-users
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _________________________________________________
> Cppcms-users mailing list
> Cpp...@li...
> https://lists.sourceforge.net/lists/listinfo/cppcms-users
--
http://www.fastmail.com - A fast, anti-spam email service.
|
|
From: Artyom B. <art...@gm...> - 2016-01-25 09:34:46
|
It is simple spam robot filter.
i.e. most spam bots search HTML for form tag and look the post address
to send some garbage.
Most of them do not run JavaScript so they wouldn't find the address
to post data unless they
write specific code for wikipp - which is likely isn't something bot
writers would bother.
Simple but yet efficient anti-robot security layer.
Artyom
On Mon, Jan 25, 2016 at 11:25 AM, CN <cn...@fa...> wrote:
> Hello!
>
> I noticed below part of file "page.tmpl" in wikipp long time ago.
>
> <script type="text/javascript">
> <!--
> document.write('<for')
> document.write('m actio')
> document.write('n="')
> document.write('<%= submit %>" me')
> document.write('thod="po')
> document.write('st">')
> -->
> </script>
>
> I have no idea about the moral of such design, but I did not ask why. I
> think I should not keep pretending understanding it any more! What is
> funny is that trying to figure out why, I ended up running into an
> article saying that document.write() doesn't work with Firefox when it
> encounter xhtml :-)
>
> Could anyone clarify for me:
> Why the most simple and straightforward HTML code "<form>" is not used
> instead?
>
> Thank you in advance!
> Best Regards,
> CN
>
> --
> http://www.fastmail.com - The way an email service should be
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Cppcms-users mailing list
> Cpp...@li...
> https://lists.sourceforge.net/lists/listinfo/cppcms-users
|
|
From: CN <cn...@fa...> - 2016-01-25 09:51:42
|
Aha! Artyom, many thanks again for yet another precious lesson of
secured HTML design!
I do not see this recipe in tutorial. Isn't it a good idea to add it to
"security design" chapter?
Best Regards,
CN
On Mon, Jan 25, 2016, at 05:34 PM, Artyom Beilis wrote:
> It is simple spam robot filter.
>
> i.e. most spam bots search HTML for form tag and look the post address
> to send some garbage.
> Most of them do not run JavaScript so they wouldn't find the address
> to post data unless they
> write specific code for wikipp - which is likely isn't something bot
> writers would bother.
>
> Simple but yet efficient anti-robot security layer.
>
> Artyom
>
> On Mon, Jan 25, 2016 at 11:25 AM, CN <cn...@fa...> wrote:
> > Hello!
> >
> > I noticed below part of file "page.tmpl" in wikipp long time ago.
> >
> > <script type="text/javascript">
> > <!--
> > document.write('<for')
> > document.write('m actio')
> > document.write('n="')
> > document.write('<%= submit %>" me')
> > document.write('thod="po')
> > document.write('st">')
> > -->
> > </script>
> >
> > I have no idea about the moral of such design, but I did not ask why. I
> > think I should not keep pretending understanding it any more! What is
> > funny is that trying to figure out why, I ended up running into an
> > article saying that document.write() doesn't work with Firefox when it
> > encounter xhtml :-)
> >
> > Could anyone clarify for me:
> > Why the most simple and straightforward HTML code "<form>" is not used
> > instead?
> >
> > Thank you in advance!
> > Best Regards,
> > CN
> >
> > --
> > http://www.fastmail.com - The way an email service should be
> >
> >
> > ------------------------------------------------------------------------------
> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> > Monitor end-to-end web transactions and take corrective actions now
> > Troubleshoot faster and improve end-user experience. Signup Now!
> > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > _______________________________________________
> > Cppcms-users mailing list
> > Cpp...@li...
> > https://lists.sourceforge.net/lists/listinfo/cppcms-users
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Cppcms-users mailing list
> Cpp...@li...
> https://lists.sourceforge.net/lists/listinfo/cppcms-users
--
http://www.fastmail.com - Choose from over 50 domains or use your own
|
|
From: Artyom B. <art...@gm...> - 2016-01-25 10:26:29
|
On Mon, Jan 25, 2016 at 11:51 AM, CN <cn...@fa...> wrote: > Aha! Artyom, many thanks again for yet another precious lesson of > secured HTML design! > > I do not see this recipe in tutorial. Isn't it a good idea to add it to > "security design" chapter? Not really... It is one of 1000 tricks to work on Bots. If it becomes common than bot would know how to find them. i.e. they wouldn't run entire JS engine but rather search for document.write. See it isn't really security feature as it isn't enhances security it rather limits users who does not run JavaScript to use the form. Which isn't always desirable. It works it particular case but it does not help in general. Fighting spammers is never ending battle that needs you to trick a spammer or detect one. In my bot fight I needed to do many things, sometimes that are very tight to a specific application domain. So there is no "general way to go" Finally it is your effort vs his effort - your trick vs his. It is very different from general secure programming which is about stopping bad guy who knows exactly what are you doing and can do whatever he wants to hack your system. Artyom |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X