Within text of my SOUR citation, I'd like to include words that actually are a hotlink to a website. But, without the ugly URL, rather <a href="yourdomain.com" target="_blank>YOUR DOMAIN</a> so that YOUR DOMAIN words can be clicked (and open in new window).
Am I dreaming that this would be a possibility (not 4.1.5, I know the drill....)?
Not possible. The gedcom spec doesn't support html because it isn't really designed as a web format. So any html you put in is going to be encoded as %XX. It's also something of a security risk to allow html in notes or sources without a very good sanitizing routine.
Ster'w right I'm afraid Mac. In the past it has been possible, but the security risk just isn't worth it.
If you are prepared for the security risk it is possible to have this in the Source record it self.
If you set up a source and put the link in the title as follows this will work
1 TITL <a href="http://your_website.com" target="_blank">A link to the website</a>
You shouldn't have told me that. I'll have to put a stop that behaviour.
Users should not be allowed to enter HTML.
One person's "convenience" is everyone else's security vulnerability.
I used to take advantage of that, but it had an unfortunate side-effect: You can't get to the PGV source.php?sid= page by clicking the title. So I changed mine to have a text title and
2 NOTE Online at http:......
I'm puzzled by some details, though. If PGV code makes a URI linkable, isnt the same security risk there? I mean if I somehow have access to insert
1 TITL <a href="something bad">something good</a>
and PGV sanitizes it, then what stops me from changing it to
1 TITL something bad
which PGV changes to
1 TITL <a href="something bad">something bad</a>
It's a LITTLE more secure, but people will still click on it.
And if a bad guy is changing my records, haven't I already lost the security battle?
We only convert things that look like URLs. Therefore there can't be any hidden script.
Suppose a user entered
If we just passed this to the browser, you'd get your pretty link - plus a nasty hidden payload.
<<And if a bad guy is changing my records, haven't I already lost the security battle? >>
Suppose a new user registers, claiming to be your fourth cousin, offering to add/update/correct some info in your tree, would you approve their account? Most people would. After all, you still need to approve his changes, right???
You should not allow non-admin users to write their own HTML on your server.
Explanation understood. Concur with "putting a stop to that behaviour." :-)
I revised things. Think what happened is when a SOUR is ADDED, you don't get the WWW field until you edit the SOUR. I forgot and therefore tried to add with the text. Didn't occur to me of security but now that you say it's so, will refrain from future endeavours. Thanks.
Can I assume using the WWW tag within the SOUR is okay? Or, is there a preferred way to enter a URL? I can't skip it in this instance as it takes you to the page that not only shows the source in entirety but acknowledges personal use is permitted.
Depending on the source I usually add the url in the Text field of the source and let PGV make it clickable. Or occasionally I put it in the Citation field.
Either way gives you a clickable link direct to the page you specified. No fuss, no muss.
At the moment, in 4.1.6, URLs in notes are turned into links by expand_urls(). Is this feature gone for 4.2, or am I misunderstanding this? And if it's OK to expand a URL in a note, why not in a source?
<<At the moment, in 4.1.6, URLs in notes are turned into links by expand_urls()>>
This is unchanged.
<<I misunderstanding this?>>
Possibly. It is the difference between the user entering a URL (which PGV will convert to a link) and the user entering HTML.
Thus, the user can enter
1 NOTE Details found in http://www.ancestry.com
But they shouldn't be allowed to enter
1 NOTE Details found in <a href="http://www.ancestry.com">Ancestry</a>
If we allow the latter, we open up a number of security vulnerabilities.
Oh, and this should now be blocked in SVN (sorry Warren!)
If you find anywhere else that allows a user to enter HTML, please post a bug report for it.
>Possibly. It is the difference between the user entering a URL (which PGV will convert to a link) and the user entering HTML.
OK, on re-reading the O.P. I see the difference. Still, two observations:
1) the target="_blank" bit caught my eye. The expand_urls() function seems to have this but the resultant URLs don't. Would be nice.
2) URLs in sources (publication field) aren't expanded while URLs in notes are.
<<2) URLs in sources (publication field) aren't expanded while URLs in notes are. >>
Raise a feature request for this....
> Raise a feature request for this....
Done. What about the first part? Are the URLs supposed to be _blank?
Anton: correct syntax would be <http://yourdomain.com" target="_blank"> which forces a new window to open with the URL, rather than using the existing window.
All said in done, I vote for security over the URL! Browsers/email are more intelligent today so even skipping the http:// can still create a valid URL. So, how crippled should a URL be to not create a hyperlink? It's easy to say "see Ancestry.com" but many URLs are written with complex addresses.
OK, on the _blank question it turns out I was just having a browser issue. FF is reusing windows even when the _blank is specified, but in IE I get the expected behavior.
Still wish the URLs in 1 SOUR records were expanded...
As for the question of having clickable URLs at all, seems to me that PGV's approach is good. If PGV can only write basic URLs (with the _blank target, nothing more complicated than that) it seems reasonably safe. If the website in the URL has some nasty payload, that's beyond what PGV can influence but safe surfing is up to the user.
If I have a URL in a record, I want it to be clickable. If I didn't want it to be clickable, I wouldn't write it out. If browsers make links out of shortened versions, well, theoretically a browser could see that it was on a genealogy website and make a link out of every occurrence of the words ancestry or genealogy. I don't see a need to fight that; if a browser is making bad decisions it will fall out of use.
"theoretically a browser could see that it was on a genealogy website and make a link out of every occurrence of the words ancestry or genealogy"
And what would it link to?
I'd personally prefer that "www.ancestry.com" not be gratuitously turned into a link, but I understand.
And if "ancestry" in the URI field is gets www and .com added, I can understand that, too.
But for a browser to make wild guesses out of normal words in normal text, that's completely absurd.
I'm not advocating any kind of browser 'intelligence'. That's who I avoid IE now. :)
I'm just saying that I think PGV's existing URL treatment is a fine compromise between security and functionality, and that whatever a browser or browser extension does (same way an email client might) is not a concern.
I'm not advocating any kind of browser 'intelligence'. That's why I avoid IE now. :)
How about "forum intelligence" ?
I did NOT put the http in my post. I only put the domain name, intending to discuss how some browsers will automatically try "www" and "http" if something looks like a domain name.
It never occurred to me that this #$^%& forum would make it clickable AND add those for the viewer!
<<Still wish the URLs in 1 SOUR records were expanded... >>
I think they are. e.g.
1 SOUR @S123@
2 PAGE This is expanded: http://www.example.com/page.html
4 TEXT This too: http://www.example.com/page.html
Hmm, doesn't happen for me. See if you can see this:
Why not use
1 WWW url
1 PUBL url
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.