[thelist] unsubscribe

sep3715 sep3715 at adelphia.net
Fri Jan 18 00:34:33 CST 2002


----- Original Message -----
From: <thelist-admin at lists.evolt.org>
To: <thelist at lists.evolt.org>
Sent: Wednesday, January 16, 2002 10:28 AM
Subject: thelist digest, Vol 2 #1914 - 42 msgs




Send thelist mailing list submissions to
thelist at lists.evolt.org

To subscribe or unsubscribe via the web, visit
http://lists.evolt.org/mailman/listinfo/thelist
You can reach the person managing the list at
thelist-admin at lists.evolt.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of thelist digest..."


Today's Topics:

  1. Automatic calendar in a table script - revisited in PHP (Nicole Parrot)
  2. Re: Tomcat for dummies? pt2 (Dean Mah)
  3. Re: Tomcat for dummies? pt2 (CDitty)
  4. The URL SemiColon Exploit (Dan Slater)
  5. Re: The URL SemiColon Exploit (Warden, Matt)
  6. RE: The URL SemiColon Exploit (Eric Engelmann)
  7. Re: CSS: IE vs. Mozilla (Eöl)
  8. CSS Input Borders (IA Lists)
  9. Re: @import hack (was Re: [thelist] Form CSS styles) (kristina)
  10. Re: Searching for Visual HTML Editor for Novices (Keith)
  11. Re: A question of <div>s [newbie] (Mark Howells)
  12. Re: CSS Input Borders (Mark Howells)
  13. RE: Form CSS styles (DESCHAMPS =?iso-8859-1?Q?St=E9phane?= DvSI/SICoR)
  14. Re: CSS: IE vs. Mozilla (Peter-Paul Koch)
  15. Re: The URL SemiColon Exploit (Damian Maclennan)
  16. Re: CSS: IE vs. Mozilla (Liorean)
  17. The .NET Framework has been released. (Don Makoviney)
  18. HTML question <dummy> (Peter Van Dijck)
  19. Re: HTML question <dummy> (Peter Van Dijck)
  20. picture galleries (the head lemur)
  21. RE: HTML question <dummy> (DESCHAMPS =?iso-8859-1?Q?St=E9phane?=
DvSI/SICoR)
  22. OT: Netware 3.12 and 6 (the head lemur)
  23. Re: HTML question <dummy> (josh)
  24. Re: HTML question <dummy> (Peter Van Dijck)
  25. Re: HTML question <dummy> (Anne Thorniley)
  26. Re: HTML question <dummy> (Mark Howells)
  27. RE: HTML question <dummy> (Chris Price)
  28. Re: CSS Input Borders (MRC)
  29. Any Ideas (Paul Backhouse)
  30. RE: CSS Input Borders (Paul Backhouse)
  31. Re: HTML question <dummy> (Mark Howells)
  32. Re: Any Ideas (Bob Haroche)
  33. RE: HTML question <dummy> (.jeff)
  34. RE: Any Ideas (Paul Backhouse)
  35. RE: Any Ideas (Paul Backhouse)
  36. RE: Searching for Visual HTML Editor for Novices (Chris Price)
  37. www.deltasynergy.com (Burhan Khalid)
  38. skipping 'hx' levels is bad (was Re: icons for the tip harvester (was
Re: [thesite] Re: [***forum] page) (spinhead)
  39. Re: skipping 'hx' levels is bad (rudy)
  40. skipping hx levels (was Re: icons for the tip harvester (was Re:
[thesite] Re: [***forum] page) (spinhead)
  41. RE: The URL SemiColon Exploit (.jeff)
  42. Important for the Laid-off Americans (Ben Dyer)

--__--__--

Message: 1
From: "Nicole Parrot" <nicole at parrot.ca>
To: <thelist at lists.evolt.org>
Date: Tue, 15 Jan 2002 23:18:16 -0500
charset="iso-8859-1"
Subject: [thelist] Automatic calendar in a table script - revisited in PHP
Reply-To: thelist at lists.evolt.org

Last week, .jeff published his algorithm to create a calendar using only one
loop.
Turns out I needed something like that for another project, but not in Cold
Fusion. So I translated it to PHP. I'm interested in "code reviews" from PHP
knowledgeable people, cause I translated from a language I have never seen
before to a language I've just started learning. It does work, though!
;-)

Here's the PHP code, if anyone is interested. No strings attached.
There's one noticeable change to the algorithm that .jeff published. His was
meant to have an equal number of rows for each month, regardless of the
number of days in the month, so they would look side by side. Since I'm only
drawing one month at a time, the potential extra row looked weird, so it got
removed.

<?php

function DayOfWeek($month,$year)
{
$firstofthemonth = strtotime("$month/01/$year");
$firstofthemonthArray = getdate($firstofthemonth);
$startday = $firstofthemonthArray['wday'];
return $startday;
}

function DaysInMonth($month, $year)
{
 for ($i = 31; $i > 0; $i--) {
  if (checkdate($month, $i, $year)) {
   return $i;
  }
 }
 return 0;
}

function DrawCalendar($month, $year)
{
 $DateArray = getdate(strtotime("$month/01/$year"));

 echo ("<table border=1> \n");
 echo ("<tr><td colspan=\"7\" align=\"center\">\n");
 echo $DateArray['month']." ".$year;
 echo ("</td></tr>\n");
 echo ("<tr>");
 echo ("<td width=\"15%\" align=\"center\">Sunday</td>");
 echo ("<td width=\"14%\" align=\"center\">Monday</td>");
 echo ("<td width=\"14%\" align=\"center\">Tuesday</td>");
 echo ("<td width=\"14%\" align=\"center\">Wednesday</td>");
 echo ("<td width=\"14%\" align=\"center\">Thursday</td>");
 echo ("<td width=\"14%\" align=\"center\">Friday</td>");
 echo ("<td width=\"15%\" align=\"center\">Saturday</td>");
 echo ("</tr>\n");

  $dayofweek = DayOfWeek($month, $year);
  $daysinmonth = DaysInMonth($month, $year);
  $lastcell = ( ceil(($daysinmonth + $dayofweek) / 7 )*7 );
  for($i = 0; $i < $lastcell; $i = $i + 1)
  {
    if( $i % 7 == 0)
      echo ("<tr>\n");
    if($i < $dayofweek OR $i > $daysinmonth + $dayofweek -1)
      echo ( "<td>&nbsp;</td>\n");
    else
    {
      $date = $i - $dayofweek +1;
      echo("<td>$date</td>\n");
    }
    if( (($i+1)%7) == 0)
        echo("</tr>");
 }
  echo ("</table>\n");
}

// this will draw the whole 2002 year as a proof that it works .
for ($i = 1; $i <=12; $i++)
{
 DrawCalendar($i,2002);
 echo "<br />\n\n";
}
?>


--__--__--

Message: 2
From: Dean Mah <dmah at shaw.ca>
Subject: Re: [thelist] Tomcat for dummies? pt2
To: thelist at lists.evolt.org
Date: Tue, 15 Jan 2002 21:21:59 -0700 (MST)
Reply-To: thelist at lists.evolt.org

Take a look at:

   http://jakarta.apache.org/tomcat/tomcat-4.0-doc/proxy-howto.html

which is the proxy support information that you are looking for.

Dean


CDitty writes:

> Thanks for the direct point to it.  I was rather ill that morning
> when I was attempting this and was trying to do it the hard way.
> New question.....
>
> I have installed apache, php, mysql and tomcat.  All works fine with
> the exception of tomcat.  It works fine on port 8080, but I would
> like it to work on post 80.  I have searched google, but can't
> anything that helps.

--__--__--

Message: 3
Date: Tue, 15 Jan 2002 22:26:56 -0600
To: thelist at lists.evolt.org
From: CDitty <mail at redhotsweeps.com>
Subject: Re: [thelist] Tomcat for dummies? pt2
Reply-To: thelist at lists.evolt.org

Thanks.  I'll check it out in the am.

Chris

At 10:21 PM 1/15/2002, you wrote:
>Take a look at:
>
>    http://jakarta.apache.org/tomcat/tomcat-4.0-doc/proxy-howto.html
>
>which is the proxy support information that you are looking for.
>
>Dean
>
>
>CDitty writes:
>
> > Thanks for the direct point to it.  I was rather ill that morning
> > when I was attempting this and was trying to do it the hard way.
> > New question.....
> >
> > I have installed apache, php, mysql and tomcat.  All works fine with
> > the exception of tomcat.  It works fine on port 8080, but I would
> > like it to work on post 80.  I have searched google, but can't
> > anything that helps.
>
>--
>For unsubscribe and other options, including
>the Tip Harvester and archive of TheList go to:
>http://lists.evolt.org Workers of the Web, evolt !


--__--__--

Message: 4
From: "Dan Slater" <dan_slater at imaginuity.com>
To: <thelist at lists.evolt.org>
Date: Tue, 15 Jan 2002 14:48:38 -0600
charset="iso-8859-1"
Subject: [thelist] The URL SemiColon Exploit
Reply-To: thelist at lists.evolt.org

Hi all,

I've been wrestling with this problem for some time now.

In case you didn't know, there's a way to pass any SQL Server command via
the URL by simply adding a semicolon at the end of the address, followed by
the SQL command.  Apparently it only works if you pass a URL parameter
first. (example:  mysite.com?thisVar=True)

Trying to prevent this exploit has proven to be quite a challenge.

One option is to create a brand new user (as the cold fusion login to the
datasource(s) and only grant certain priveleges to that user.  A great idea,
but seemingly impossible to implement given my limited ability as a SQL
Server DBA.

The other option I explored was to create two of each DSN and grant only
SELECT, UPDATE, INSERT permissions to one, while the other DSN was unlimited
in ability - but only available to administrative pages.  The problem with
this is that the site i'm trying to fix has made extensive use of stored
procedures.  I can give the DSN permission to execute stored procedures -
but that would then allow a malicious user to execute several "bad" SP's.

The third option, and i think the best.  Is to check for the existence of a
semicolon on every page load, and handle it there.

To that end, i've added the following code in the root dirs application.cfm:

<cfset BadChar=";">
<cftry> <!--- Require CH_Number --->
<cfif ListContains(cgi.query_string,BadChar,1) NEQ 0>
<cfthrow message="Invalid Operation">
</cfif>
<cfcatch>
<h1>Invalid Operation!!!!</h1>
<a href="http://www.thehomepage.com">Back to the homepage!</a>
<cfabort>
</cfcatch>
</cftry>

Basically, i'm just checking the url for any semicolons, and if found, let
the user know what the issue is, provide them with a link to the homepage
and abort the rest of the page loading.

Does this sound like a good way to defeat the use of the semicolon exploit?
Since i've found no other examples of this "technique" - i'm wondering if
i'm missing something here that could easily defeat my "fix".

Thanks in advance,


Dan Slater


--__--__--

Message: 5
Date: Wed, 16 Jan 2002 01:01:44 -0500 (EST)
From: "Warden, Matt" <mwarden at mattwarden.com>
To: thelist at lists.evolt.org
Subject: Re: [thelist] The URL SemiColon Exploit
Reply-To: thelist at lists.evolt.org

On Jan 15, Dan Slater had something to say about [thelist] The URL...

...
>In case you didn't know, there's a way to pass any SQL Server command via
>the URL by simply adding a semicolon at the end of the address, followed by
>the SQL command.  Apparently it only works if you pass a URL parameter
>first. (example:  mysite.com?thisVar=True)

If you're talking about what I THINK you're talking about, some things
need to be clarified.

The "exploit" is really due to some sloppy coding. For instance (and I'll
try to get this into CF syntax, but don't assume it's correct):

<cfquery name="foo" datasource="#bar#>
SELECT foo, bar
FROM fubar
where rudy=#url.rudy#
</cfquery>

Looks harmless, right?

If the URL is http://mydomain.com/733t/hax0rz.cfm?rudy=12
then foo's SQL would be:

SELECT foo, bar
FROM fubar
where rudy=12

Like I said, harmless, right?

Well, consider a URL like this:

http://mydomain.com/733t/hax0rz.cfm?12;DROP%20TABLE%20fubar

Now, foo's SQL would be:

SELECT foo, bar
FROM fubar
where rudy=12;DROP TABLE fubar

a semicolon separates sql statements, so this is really two statements:

SELECT foo, bar FROM fubar where rudy=12
DROP TABLE fubar

uh oh. your table's gone.

I usually have a function called sqlstring() (or, as sgd usually calls
his: ReplaceTicks()) that replaces all the bad sql characters with either
their escaped equivalents or with nothing at all (i.e. deleting that
character). i'm not sure how to do functions in CF, so I'll leave that up
to you. but, yeah, you were on the right track when you wanted to stop the
semicolon from being a part of your sql.

--
mattwarden
mattwarden.com


--__--__--

Message: 6
From: "Eric Engelmann" <eric at geonetric.com>
To: <thelist at lists.evolt.org>
Subject: RE: [thelist] The URL SemiColon Exploit
Date: Wed, 16 Jan 2002 01:26:33 -0600
charset="iso-8859-1"
Reply-To: thelist at lists.evolt.org

<snip>
there's a way to pass any SQL Server command via
the URL by simply adding a semicolon at the end of
the address, followed by the SQL command.
</snip>

To be clear for any newbie-types that might misconstrue that, your
ASP/CF/PHP/Whatever script has to be using a URL variable in a SQL
statement. Just typing this type of stuff in any old URL won't do anything
to your SQL Server.

<snip>
while the other DSN was unlimited in ability - but only available to
administrative pages.
</snip>

Is there ANY reason why ANY web-based user should have admin rights to drop
tables, etc? Most web apps don't ever need this power. Removing DROP, DELETE
etc. from any web-accessible user privilege can help minimize damage, but
UPDATE is almost as powerful.

<snip>
Does this sound like a good way to defeat the use of the semicolon exploit?
</snip>

Not really.

The problem is mostly sloppy coding as Matt points out.

Additional Problems:
--------------------
* There are other characters, too, that can be used (though I don't recall
the list exactly, I think the pipe char |, apostrophes and semicolons were
common ways to try to mess with various dbs and SQL strings). You might also
have to check for the various encoded versions of these characters, like %36
or whatever the encoded chars might be.
* Not just querystring, although this is easiest. Its possible to do the
same thing via a Form, Cookie or any other user-input mechanism if you've
coded your site to use those input methods.
* this is not just SQL Server. It will work, I think, with any SQL database
if you're executing dynamically constructed SQL statements created by script
and the user has the proper permission level.

You can prevent this, in general, by:
-------------------------------------
* Don't concatenate SQL Strings in your script and execute them!!! Use
stored procedures, pass typed parameters.
* Validating all input (e.g. if you expect an integer, make sure you get
one)
* Keeping your server patched (e.g. if you are vulnerable to file read
vulnerabilities in IIS, for example, your DSN info or logic in
application.cfm may be visible, passwords if they're in there, to script
kiddies)
* Turn off error display to end users. (e.g. Why tell your hacker friends
your SQL syntax:

SQL=select headline from tblnews where itemid=123a
Line 1: Incorrect syntax near 'a'.

)
* Never use .inc as a file extension (or any other non-parsed ext)  for any
db/script stuff unless you map it to cold fusion, ASP etc. Its SO easy to
hunt down db logic in random text-based files that aren't parsed. This gives
the hacker your db structure, SQL statements, and possibly connection info.
* Modifying SQL permissions so that the Internet user only has SELECT,
UPDATE or INSERT rights, as needed.
* Cache db info in RAM, so users aren't actually hitting the db, and cache
updates happen programmatically, not in response to user request (depends on
your application, may not be an option).
* Protecting your server with a filter (if you're using IIS, install the
URLScan utility, alone or as part of the lockdown wizard:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/tools.asp )

<sidenote related="kinda">
Its scary to have IIS with URLScan on a freshly formatted box, and watch
within minutes of plugging it into the 'net how many Code-Red-type variants
ping your box looking for vulnerabilities! Typically hundreds of them in the
first couple of hours. IIS deserves its reputation, and URLScan has been a
much needed tool.
</sidenote>

I'm not sure that checking every URL is the best way to do this, sounds like
a performance drain (if that's what you're doing, I'm not a CF-type guy).
Instead, as Matt says, just run a CheckInput function that cleans up any
provided input from QueryString, Form, cookie or other variables ONLY on the
pages that would use it. There's lots of reasons you might pass a semicolon
in the URL in day-to-day web programming.

Sorry this turned into such a book! Hope its helpful.

- Eric





--__--__--

Message: 7
Date: Tue, 15 Jan 2002 23:53:53 -0800 (PST)
From: "Eöl" <eol1 at yahoo.com>
Reply-To: eol1 at yahoo.com
Subject: Re: [thelist] CSS: IE vs. Mozilla
To: thelist at lists.evolt.org
Reply-To: thelist at lists.evolt.org

Michael,

A couple things.

A) try cleaning up your warning.  Mozilla likes clean
code.

http://jigsaw.w3.org/css-validator/validator?uri=http%3A%2F%2Fwww.michaelbuf
fington.com%2Fcss.html&warning=1&profile=css2

B) make an actually proper html file out of it,
Mozilla likes those proper also (dtd's and such)

Now the actual coding:

1: invalid HTML causing quirks mode, yes Mozilla is
that picky, no that is not a bad thing

2: using <div>s instead of spans makes no sense

3: width: ??px; and display: inline; aren't compatible
when the inline is non-replaced (i.e. just text)...

4: making a table out of divs is not a good idea when
the thing you're making is actually a table which it
seems to be in this case, tell them that (notes 1-4
are from an irc buddy and amazing web developer
dave-e)

try fixing this and see if it works,

Eöl


--- Michael Buffington <mike at stirlingbridge.com>
wrote:
> I spent a lot of time to get the following URL to
> look fantastic in IE
> 6.0, only to have my bubble violently burst by
> Mozilla 0.9.7.
>
> http://www.michaelbuffington.com/css.html
>
> Up until this project I've been pretty successful in
> having Mozilla
> display identically to IE, but this time it seems
> Mozilla has done
> everything it can to interpret my CSS entirely
> differently.
>
> I'm looking for reasons as to why there is such a
> huge difference, and
> when all is said and done, I'm looking for a way to
> use CSS with <DIV>s
> to accomplish what IE displays so nicely.
>
> One thing I've noticed is that when I remove
> display:inline; from the
> columns, Mozilla begins obeying the width
> specifications. Obviously I
> need to display:inline;, so that's not a good
> solution, but it is
> interesting.
>
> Michael Buffington
> ColdFusion 5.0 Developer's Guide ISBN:072132256
> Macromedia Certified ColdFusion 5.0 Developer
> http://www.michaelbuffington.com
>
>
>
> --
> For unsubscribe and other options, including
> the Tip Harvester and archive of TheList go to:
> http://lists.evolt.org Workers of the Web, evolt !


__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

--__--__--

Message: 8
From: "IA Lists" <lists at interanalysis.com.au>
To: <thelist at lists.evolt.org>
Date: Wed, 16 Jan 2002 18:59:13 +1100
charset="iso-8859-1"
Subject: [thelist] CSS Input Borders
Reply-To: thelist at lists.evolt.org

Hi All

I have a text box that is displaying with no border in IE6, but is
displaying with a border in NN6 (let alone NN4.x):

input.contactform { border:0px;
background-color:#90d8b9;
font-family:Arial, Helvetica, sans-serif;
font-size:9pt;
font-weight:normal;}

Does anyone have any ideas?



--__--__--

Message: 9
Date: Wed, 16 Jan 2002 08:17:52 +0000
From: kristina <kristina at kfx-design.co.uk>
Reply-To: kristina <kristina at kfx-design.co.uk>
To: thelist at lists.evolt.org
Subject: Re: @import hack (was Re: [thelist] Form CSS styles)
Reply-To: thelist at lists.evolt.org

Lachlan,

on Wednesday, January 16, 2002, 3:26:47 AM, Lachlan wrote:

::
> (BTW, this trick using Tantek's hack was used at the site
> design for checking I posted earlier. Go there to see if it
> works with your NN4, and test it for me while you're there
> please ;)

> http://members.evolt.org/luminosity/test/compose.html )
::

email.js seems to be missing, so as a result N4.7 is choking....

I tried IE5.5 and that is working ok, though I tried to open email.js
and it isn't there.

--
hth
 kristina

kristina at kfx-design.co.uk


--__--__--

Message: 10
From: "Keith" <cache at dowebs.com>
To: thelist at lists.evolt.org
Date: Tue, 15 Jan 2002 17:22:06 -0700
Subject: Re: [thelist] Searching for Visual HTML Editor for Novices
Reply-To: thelist at lists.evolt.org

Hi John

> I'm attempting to find a simple editor for webpages.  This editor
> would not actually change the structure of the page.  It would, in
> fact, leave each and every tag in it's place.  It would, however,
> allow for the editing of the text on the page without the need of
> knowing any HTML.  It would also need to be visual, so that people who
> do not understand HTML would be able to use it.
>
> I am the lone Web Developer here, and I would sorely like to fend off
> some of the editing of text to others, but the editors they use tend
> to change the formating (both in the code and the visual layout).  I'm
> desperate for a simple visual editor that doesn't change the code.
>
> Any leads would be appreacited.

<shameless self-promotion>
http://WebSitePad.com
</shameless self-promotion>

The Lite Version fits your description.

keith


--__--__--

Message: 11
Date: Wed, 16 Jan 2002 09:33:49 +0100
Subject: Re: [thelist] A question of <div>s [newbie]
From: Mark Howells <mark at mountain.ch>
To: thelist at lists.evolt.org
Reply-To: thelist at lists.evolt.org

You can work around this problem by placing <br clear="all" /> before
the paragraph tag. This still validates in XHTML Transitional and works
in all (?) browsers.

Regards
Mark Howells
<http://www.mark.ac>

Am Mittwoch den, 16. Januar 2002, um 03:04, schrieb Dan C:

> [ http://neoflux.net/ ],
> I have been unable to figure out how to place an item reliably below
> the bottom of the extending div. It  seems that only the bottom of the
> containing div counts when placing things outside the div, and text
> gets sucked up to the outside right edge of the page.


--__--__--

Message: 12
Date: Wed, 16 Jan 2002 09:38:20 +0100
Subject: Re: [thelist] CSS Input Borders
From: Mark Howells <mark at mountain.ch>
To: thelist at lists.evolt.org
Reply-To: thelist at lists.evolt.org

I don't think that you can reliably control all parts of form fields
using CSS, as they form part of the browser interface rather than the
page. The only thing that you could try would be to make the colour of
the border the same as the page background, which will make it disappear.

Regards
Mark Howells
<http://www.mark.ac>

Am Mittwoch den, 16. Januar 2002, um 08:59, schrieb IA Lists:

> Hi All
>
> I have a text box that is displaying with no border in IE6, but is
> displaying with a border in NN6 (let alone NN4.x):
> [snip]
> Does anyone have any ideas?


--__--__--

Message: 13
Reply-To: "DESCHAMPS =?iso-8859-1?Q?St=E9phane?= DvSI/SICoR"
<stephane.deschamps at francetelecom.com>
From: "DESCHAMPS =?iso-8859-1?Q?St=E9phane?= DvSI/SICoR"
<stephane.deschamps at francetelecom.com>
To: <thelist at lists.evolt.org>
Subject: RE: [thelist] Form CSS styles
Date: Wed, 16 Jan 2002 09:41:58 +0100
charset="us-ascii"
Reply-To: thelist at lists.evolt.org

> I'm looking for examples of nice form styling using CSS.
>
> I've looked at glish, bluerobot, and alistapart but most CSS
> examples and
> tutorials appear to focus on columns, boxes and text styling,
> which is
> great, but I'm looking to make my forms more visually appealing.  The
> default formatting for forms (try saying that 5 times fast)
> is pretty ugly,
> especially the buttons.  I know that I could replace the buttons with
> images, but I prefer having buttons where possible since then I get
> name/value pairs passed.
>
> So I'm looking for good code to steal ;-)
>
> Anyone have any examples that they'd like to share?

There's something awfully nice done by Lance Arthur on www.glassdog.com with
a nice onfocus/onblur effect too. (I think it's a "subscribe" pad -- off the
top of my head, no internet at the office)

That guy is a HTML genius. Remember the framed glassdog? Mmmh, pure
enjoyment :-)

s t e f
[ nota-bene.org ]


--__--__--

Message: 14
From: "Peter-Paul Koch" <gassinaumasis at hotmail.com>
To: thelist at lists.evolt.org
Subject: Re: [thelist] CSS: IE vs. Mozilla
Date: Wed, 16 Jan 2002 09:28:43 +0000
Reply-To: thelist at lists.evolt.org




>I spent a lot of time to get the following URL to look fantastic in IE
>6.0, only to have my bubble violently burst by Mozilla 0.9.7.
>
>http://www.michaelbuffington.com/css.html
>
>Up until this project I've been pretty successful in having Mozilla
>display identically to IE, but this time it seems Mozilla has done
>everything it can to interpret my CSS entirely differently.
>
>I'm looking for reasons as to why there is such a huge difference, and
>when all is said and done, I'm looking for a way to use CSS with <DIV>s
>to accomplish what IE displays so nicely.
>
>One thing I've noticed is that when I remove display:inline; from the
>columns, Mozilla begins obeying the width specifications. Obviously I
>need to display:inline;, so that's not a good solution, but it is
>interesting.

In fact it's the reason why it doesn't work in Mozilla. The element is not a
block, so it shouldn't have width, height or borders, it should just fit the
content. IE5.0 has the same, BTW, so I assume there your CSS doesn't work
either.

What you're trying to do is much better done by an old-fashioned table. I
understand that you're trying to get away from it but this is one of the few
cases where it's still useful. After are, you *are* presenting tabular data.

Another solution would be to use display: table, table-row and table-cell
but these are badly supported.

In short: I think you're using the wrong display for this specific task.

ppk

_________________________________________________________________
Join the world's largest e-mail service with MSN Hotmail.
http://www.hotmail.com


--__--__--

Message: 15
From: "Damian Maclennan" <damian_mac at hotmail.com>
To: thelist at lists.evolt.org
Subject: Re: [thelist] The URL SemiColon Exploit
Date: Wed, 16 Jan 2002 11:38:32
Reply-To: thelist at lists.evolt.org

Hi

You also want to filer out apostrophes. But the best way to prevent this is
to use stored procedures with paramters instead of dynamic SQL. This will
solve 99% of your problems.

Damian


>From: "Dan Slater" <dan_slater at imaginuity.com>
>Reply-To: thelist at lists.evolt.org
>To: <thelist at lists.evolt.org>
>Subject: [thelist] The URL SemiColon Exploit
>Date: Tue, 15 Jan 2002 14:48:38 -0600
>
>Hi all,
>
>I've been wrestling with this problem for some time now.
>
>In case you didn't know, there's a way to pass any SQL Server command via
>the URL by simply adding a semicolon at the end of the address, followed by
>the SQL command.  Apparently it only works if you pass a URL parameter
>first. (example:  mysite.com?thisVar=True)
>
>Trying to prevent this exploit has proven to be quite a challenge.
>
>One option is to create a brand new user (as the cold fusion login to the
>datasource(s) and only grant certain priveleges to that user.  A great
>idea,
>but seemingly impossible to implement given my limited ability as a SQL
>Server DBA.
>
>The other option I explored was to create two of each DSN and grant only
>SELECT, UPDATE, INSERT permissions to one, while the other DSN was
>unlimited
>in ability - but only available to administrative pages.  The problem with
>this is that the site i'm trying to fix has made extensive use of stored
>procedures.  I can give the DSN permission to execute stored procedures -
>but that would then allow a malicious user to execute several "bad" SP's.
>
>The third option, and i think the best.  Is to check for the existence of a
>semicolon on every page load, and handle it there.
>
>To that end, i've added the following code in the root dirs
>application.cfm:
>
><cfset BadChar=";">
><cftry> <!--- Require CH_Number --->
> <cfif ListContains(cgi.query_string,BadChar,1) NEQ 0>
> <cfthrow message="Invalid Operation">
> </cfif>
> <cfcatch>
> <h1>Invalid Operation!!!!</h1>
> <a href="http://www.thehomepage.com">Back to the homepage!</a>
> <cfabort>
> </cfcatch>
></cftry>
>
>Basically, i'm just checking the url for any semicolons, and if found, let
>the user know what the issue is, provide them with a link to the homepage
>and abort the rest of the page loading.
>
>Does this sound like a good way to defeat the use of the semicolon exploit?
>Since i've found no other examples of this "technique" - i'm wondering if
>i'm missing something here that could easily defeat my "fix".
>
>Thanks in advance,
>
>
>Dan Slater
>
>
>--
>For unsubscribe and other options, including
>the Tip Harvester and archive of TheList go to:
>http://lists.evolt.org Workers of the Web, evolt !




_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


--__--__--

Message: 16
Date: Wed, 16 Jan 2002 13:15:23 +0100
To: Evolt Thelist <thelist at lists.evolt.org>
From: Liorean <Liorean at user.bip.net>
Subject: Re: [thelist] CSS: IE vs. Mozilla
Reply-To: thelist at lists.evolt.org

At 18:35 2002-01-15 -0800, Michael Buffington wrote:
>I spent a lot of time to get the following URL to look fantastic in IE
>6.0, only to have my bubble violently burst by Mozilla 0.9.7.
>
>http://www.michaelbuffington.com/css.html


Try changing the document from quirks into standards mode and look at it.
Does it still behave the same? No? Thoughts so...

You are better off using block boxes with float to achieve the same effect.

(
The best doctype to use for toggling standards mode in IE5 Mac, IE6, Moz
is  the XHTML1.0 Strict:
<!DOCTYPE html
      PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
)

>Up until this project I've been pretty successful in having Mozilla
>display identically to IE, but this time it seems Mozilla has done
>everything it can to interpret my CSS entirely differently.

Use standards mode and you'll have much bigger resemblance between the
browsers.

>I'm looking for reasons as to why there is such a huge difference, and
>when all is said and done, I'm looking for a way to use CSS with <DIV>s
>to accomplish what IE displays so nicely.

Might be hard if you want IE 5/5.5 Win compatibility. But for
Opera/Konqueror/Mozilla/IE5 Mac/IE6 Win compatibility disregarding IE 5.x
for windows it's somewhat simpler.

>One thing I've noticed is that when I remove display:inline; from the
>columns, Mozilla begins obeying the width specifications. Obviously I
>need to display:inline;, so that's not a good solution, but it is
>interesting.

"display: inline;" is supposed to ignore width and height. If it doesn't in
one browser or the other, then that browser is at fault with the CSS Rec.
CSS3 will probably mend this by adding an "inline-block" value which
basically calculates the box model as were it relatively positioned block,
but regards that entire block like were it inline (such a mode as images
through all times have been displayed in).



 From the CSS2 Rec:
>10.3.1 Inline, non-replaced elements
>
>The 'width' property does not apply. A specified value of 'auto' for
>'left', 'right', 'margin-left' or 'margin-right' becomes a computed value
>of '0'.

>10.6.1 Inline, non-replaced elements
>
>If 'top', 'bottom', 'margin-top', or 'margin-bottom' are 'auto', their
>computed value is 0. The 'height' property doesn't apply, but the height
>of the box is given by the 'line-height' property.


--__--__--

Message: 17
Reply-To: "Don Makoviney" <don at aspalliance.com>
From: "Don Makoviney" <don at aspalliance.com>
To: <thelist at lists.evolt.org>
Date: Wed, 16 Jan 2002 08:45:28 -0500
charset="iso-8859-1"
Subject: [thelist] The .NET Framework has been released.
Reply-To: thelist at lists.evolt.org

Just thought some of you would like to know that the .NET Framework v1.0 was
released for download from Microsoft today.

I have been programming with .NET Beta for almost a year now, and love how
much faster (development-wise and speed-wise) it is than Classic ASP.

There is a really cool SDK with it with web examples of how to program
websites with ASP.NET.

Download:
http://www.asp.net

SDK Download:
http://www.asp.net


Enjoy!

Don Makoviney

MAKOVISION.COM | http://www.makovision.com

Get the #1 WebDev/Usability Newsletter
"Cutting Through The Crap"
http://www.makovision.com/subs/


--__--__--

Message: 18
From: "Peter Van Dijck" <peter.vandijck at vardus.com>
To: <thelist at lists.evolt.org>
Date: Wed, 16 Jan 2002 14:13:32 -0000
charset="iso-8859-1"
Subject: [thelist] HTML question <dummy>
Reply-To: thelist at lists.evolt.org

A simple HTML question:
we have a link like this:
<a href="#"
onclick="javascriptarent.popwin('#request.self#/fa/#fusebox.thisCircuit#..sh
owRules&competitionID=#competitionGetDetail1.competitionId#&suppressLayout=t
rue');">competition rules</a>

When you click it it pops up the window nicely but also jumps to the anchor
tag,which we don't want. If I remove the href, the cursor doesn't show the
little hand when you mouseover. I don't want to use CSS to show that hand
because that will work in not many browsers.

Surely there must be a way to have the hand show up without using the href.
How do you guys sove this?

Peter



--__--__--

Message: 19
From: "Peter Van Dijck" <peter.vandijck at vardus.com>
To: <thelist at lists.evolt.org>
Subject: Re: [thelist] HTML question <dummy>
Date: Wed, 16 Jan 2002 14:15:26 -0000
charset="iso-8859-1"
Reply-To: thelist at lists.evolt.org

> When you click it it pops up the window nicely but also jumps to the
anchor
> tag,which we don't want.

The real problem is that we have a base href tag defined in ColdFusion that
prepends a url to that anchor, so the page actually jumps somewhere else.
Peter


--__--__--

Message: 20
From: "the head lemur" <headlemur at clearskymail.com>
To: "!Evolt" <thelist at lists.evolt.org>
Date: Wed, 16 Jan 2002 07:25:39 -0700
charset="iso-8859-1"
Subject: [thelist] picture galleries
Reply-To: thelist at lists.evolt.org

the Linux Journal has an article on picture galleries.
http://www.linuxjournal.com/article.php?sid=5717

PHP and Apache toys needed.




--__--__--

Message: 21
Reply-To: "DESCHAMPS =?iso-8859-1?Q?St=E9phane?= DvSI/SICoR"
<stephane.deschamps at francetelecom.com>
From: "DESCHAMPS =?iso-8859-1?Q?St=E9phane?= DvSI/SICoR"
<stephane.deschamps at francetelecom.com>
To: <thelist at lists.evolt.org>
Subject: RE: [thelist] HTML question <dummy>
Date: Wed, 16 Jan 2002 15:32:40 +0100
charset="iso-8859-1"
Reply-To: thelist at lists.evolt.org

in your onclick add return false; at the end
So you have : <a href="#" onclick="yourcomplicatedScript(); return false;">

HTH
stef

> -----Message d'origine-----
> De : thelist-admin at lists.evolt.org
> [mailto:thelist-admin at lists.evolt.org]De la part de Peter Van Dijck
> Envoyé : mercredi 16 janvier 2002 15:15
> À : thelist at lists.evolt.org
> Objet : Re: [thelist] HTML question <dummy>
>
>
> > When you click it it pops up the window nicely but also jumps to the
> anchor
> > tag,which we don't want.
>
> The real problem is that we have a base href tag defined in
> ColdFusion that
> prepends a url to that anchor, so the page actually jumps
> somewhere else.
> Peter
>
>
> --
> For unsubscribe and other options, including
> the Tip Harvester and archive of TheList go to:
> http://lists.evolt.org Workers of the Web, evolt !


--__--__--

Message: 22
From: "the head lemur" <headlemur at clearskymail.com>
To: "!Evolt" <thelist at lists.evolt.org>
Date: Wed, 16 Jan 2002 07:34:06 -0700
charset="iso-8859-1"
Subject: [thelist] OT: Netware 3.12 and 6
Reply-To: thelist at lists.evolt.org

Anybody administering Netware 3.12 and have any experience in setup and
migration?
Need some help. offlist of course:)






--__--__--

Message: 23
<3C43555D.8090006 at 123piano.com>
<024a01c19e94$0f7a0d50$f7772241 at dmak>
<017201c19e97$fac35480$d801000a at peter>
From: "josh" <evolt at efeingold.com>
To: thelist at lists.evolt.org
Date: Wed, 16 Jan 2002 14:40:52 GMT
Subject: [thelist] Re: HTML question <dummy>
Reply-To: thelist at lists.evolt.org

Will a Javascript link work for you?  (I think it works in all NN and IE4+.)

<a href="javascript:alert('test')">Test this</a>

Take care,
Josh

--__--__--

Message: 24
From: "Peter Van Dijck" <peter.vandijck at vardus.com>
To: <thelist at lists.evolt.org>
Subject: Re: [thelist] HTML question <dummy>
Date: Wed, 16 Jan 2002 14:33:30 -0000
charset="iso-8859-1"
Reply-To: thelist at lists.evolt.org



> in your onclick add return false; at the end
> So you have : <a href="#" onclick="yourcomplicatedScript(); return
false;">

Thanks that fixed it.
Peter


--__--__--

Message: 25
Date: Wed, 16 Jan 2002 14:46:30 +0000
From: Anne Thorniley <anne at beerintheevening.com>
To: thelist at lists.evolt.org
Subject: Re: [thelist] HTML question <dummy>
Reply-To: thelist at lists.evolt.org

Hi Peter,


On Wed, Jan 16, 2002 at 02:33:30PM -0000, Peter Van Dijck wrote:
> > in your onclick add return false; at the end
> > So you have : <a href="#" onclick="yourcomplicatedScript(); return
> false;">
>
> Thanks that fixed it.
> Peter

Yes, that works, as long as you don't mind browsers that don't support
javascript or have javascript turned off still linking to the base
url.

That may not be a problem for you, just wanted you to be aware of it.

Anne

--
...but I'll save my dreams till I get old
I might need them some day

--__--__--

Message: 26
Date: Wed, 16 Jan 2002 15:56:33 +0100
Subject: Re: [thelist] HTML question <dummy>
From: Mark Howells <mark at mountain.ch>
To: thelist at lists.evolt.org
Reply-To: thelist at lists.evolt.org

>>> in your onclick add return false; at the end
>>> So you have : <a href="#" onclick="yourcomplicatedScript(); return
>> false;">
>>
>> Thanks that fixed it.
>> Peter
>
> Yes, that works, as long as you don't mind browsers that don't support
> javascript or have javascript turned off still linking to the base
> url.

That is to say, a link like this is better to make sure that non-JS
browsers (and search engines) can follow the link.

<a href="myURL.html" onclick="window.open(this.href,'',''); return
false">My Link</a>

Regards
Mark Howells
<http://www.mark.ac>


--__--__--

Message: 27
From: Chris Price <chris.price at stl.org>
To: "'thelist at lists.evolt.org'" <thelist at lists.evolt.org>
Subject: RE: [thelist] HTML question <dummy>
Date: Wed, 16 Jan 2002 15:54:01 -0000
charset="iso-8859-1"
Reply-To: thelist at lists.evolt.org

Excuse my ignorance but what does "return false" do

By the way, this discussion has answered a question that's been bugging me
for months.

thelist has been a revelation to me!
--
Chris Price

> ----------
> From: DESCHAMPS Stéphane DvSI/SICoR
> Reply To: thelist at lists.evolt.org
> Sent: Wednesday, January 16, 2002 14:32 PM
> To: thelist at lists.evolt.org
> Subject: RE: [thelist] HTML question <dummy>
>
> in your onclick add return false; at the end
> So you have : <a href="#" onclick="yourcomplicatedScript(); return
> false;">
>

_____________________________________________________________________
This message has been checked for all known viruses by UUNET delivered
through the MessageLabs Virus Control Centre. For further information visit
http://www.uk.uu.net/products/security/virus/

--__--__--

Message: 28
From: "MRC" <webmaster at equilon-mrc.com>
To: <thelist at lists.evolt.org>
Subject: Re: [thelist] CSS Input Borders
Date: Wed, 16 Jan 2002 08:10:44 -0800
charset="iso-8859-1"
Reply-To: thelist at lists.evolt.org

IA,

> I have a text box that is displaying with no border in IE6, but is
> displaying with a border in NN6 (let alone NN4.x):
>
> input.contactform { border:0px;
> background-color:#90d8b9;
> font-family:Arial, Helvetica, sans-serif;
> font-size:9pt;
> font-weight:normal;}

    Your CSS looks fine (although a purist might argue that "border: 0px"
should be "border: none"), and in a quick test I saw no problems in Netscape
6 with this code snippet. My best guesses for the cause of your problem:

1) You haven't actually assigned the className "contactform" to the input
2) You haven't used the same case for the className "contactform" in your
style sheet that you used in your HTML (e.g., "input.contactform" in your
style sheet and <input class="Contactform"> in your HTML)
3) You have another style declaration that is overriding this one (e.g.,
further down in your style sheet, declared inline, or with an !important
declaration).

    If you still have the problem, do you have a URL or a larger code
sample?

James Aylard


--__--__--

Message: 29
From: "Paul Backhouse" <paul.backhouse at 2cs.com>
To: <thelist at lists.evolt.org>
Date: Wed, 16 Jan 2002 16:14:12 -0000
charset="iso-8859-1"
Subject: [thelist] Any Ideas
Reply-To: thelist at lists.evolt.org

Hi people

Ive just finished off our companies website - we're using iframes, my issue
is with Netscape 4.x - we all know iframes dont work, now I would normally
use some sort of scrollable layer for browsers that dont support it, but I
dont want to this time as I find them especially tempramental in NS 4.x.

So has anyone got any good ideas, a nice way of solving this problem - some
other alternative that could work well in NS 4.x - ideally if you have any
idea you'll need to view the site in IE 4 (or upwards) to see how is
currently works.

The site in question is: www.2cs.com

Any suggestions for this problem?

Many Thanks

Paul Backhouse


--__--__--

Message: 30
From: "Paul Backhouse" <paul.backhouse at 2cs.com>
To: <thelist at lists.evolt.org>
Subject: RE: [thelist] CSS Input Borders
Date: Wed, 16 Jan 2002 16:17:09 -0000
charset="iso-8859-1"
Reply-To: thelist at lists.evolt.org

The borders for input boxes will not work in NS 4.x (as far as I am aware),
use some sort of detection script for Ie and Ns 4.x - but if anyone does
know how to do this then I'd be interested to know how.


-----Original Message-----



IA,

> I have a text box that is displaying with no border in IE6, but is
> displaying with a border in NN6 (let alone NN4.x):
>
> input.contactform { border:0px;
> background-color:#90d8b9;
> font-family:Arial, Helvetica, sans-serif;
> font-size:9pt;
> font-weight:normal;}



--__--__--

Message: 31
Date: Wed, 16 Jan 2002 17:43:28 +0100
Subject: Re: [thelist] HTML question <dummy>
From: Mark Howells <mark at mountain.ch>
To: thelist at lists.evolt.org
Reply-To: thelist at lists.evolt.org

It stops the browser from following the link in the href="" part of the
tag.

Regards
Mark Howells
<http://www.mark.ac/evl>

Am Mittwoch den, 16. Januar 2002, um 16:54, schrieb Chris Price:

> Excuse my ignorance but what does "return false" do


--__--__--

Message: 32
Reply-To: "Bob Haroche" <bharoche at usa.net>
From: "Bob Haroche" <bharoche at usa.net>
To: <thelist at lists.evolt.org>
Subject: Re: [thelist] Any Ideas
Date: Wed, 16 Jan 2002 08:43:35 -0800
charset="iso-8859-1"
Reply-To: thelist at lists.evolt.org

Hi Paul,

Nice looking site there. You know you've got some horizontal scrolling even
at higher resolutions?

I couldn't find any iFrames when I clicked around in IE 6 (Win2K). What
page(s) have them?

The few times I've used iFrames, I've handled NN 4 by making the alternative
content a "Click here for the content" type link which pops up a child
window.  I don't know if that would work for you, but I think it's more
reliable than scrolling layers, which I really don't like myself.

Regards,
Bob Haroche
O n P o i n t  S o l u t i o n s
http://www.OnPointSolutions.com


--__--__--

Message: 33
From: ".jeff" <jeff at members.evolt.org>
To: <thelist at lists.evolt.org>
Subject: RE: [thelist] HTML question <dummy>
Date: Wed, 16 Jan 2002 08:46:02 -0800
charset="iso-8859-1"
Reply-To: thelist at lists.evolt.org

chris,

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Chris Price
>
> Excuse my ignorance but what does "return false" do
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

JavaScript: The Point of No Return?!
http://evolt.org/article/thelist/17/8869/

enjoy,

.jeff

http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/



--__--__--

Message: 34
From: "Paul Backhouse" <paul.backhouse at 2cs.com>
To: <thelist at lists.evolt.org>
Subject: RE: [thelist] Any Ideas
Date: Wed, 16 Jan 2002 16:53:05 -0000
charset="iso-8859-1"
Reply-To: thelist at lists.evolt.org

Bob, cheers for the comments - yes the site is made for 1024x768 with
defautl browser settings - im not particulary keen on specifically designing
for higher resolutions because the users might have extras on their tool
bars - but we did some research (abtou a years worth) and it showed that
about 90% and upwards were viewing our old site at 1024x768 and higher.

Hmmm...as for the content button for NS 4.x, i like the idea, I might be
able to integrate it that quite easily with whats already there.

Thanks

Paul

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hi Paul,

Nice looking site there. You know you've got some horizontal scrolling even
at higher resolutions?

I couldn't find any iFrames when I clicked around in IE 6 (Win2K). What
page(s) have them?

The few times I've used iFrames, I've handled NN 4 by making the alternative
content a "Click here for the content" type link which pops up a child
window.  I don't know if that would work for you, but I think it's more
reliable than scrolling layers, which I really don't like myself.

Regards,
Bob Haroche
O n P o i n t  S o l u t i o n s
http://www.OnPointSolutions.com



--__--__--

Message: 35
From: "Paul Backhouse" <paul.backhouse at 2cs.com>
To: <thelist at lists.evolt.org>
Subject: RE: [thelist] Any Ideas
Date: Wed, 16 Jan 2002 16:56:55 -0000
charset="iso-8859-1"
Reply-To: thelist at lists.evolt.org

Bob,
About us section - our history and our partners,
Our Clients - first page
Case Studies - click on the helping cedar, the squares and case studies

Those should be the pages Bob.
We've got IE 6.x here on mac and pc and they work ok. Infact I owe this list
a fair bit, just from the issues that are raised here, i took it upon myself
to build a test pc with most of the browsers i could find on the evolt
browser pages - so i can test the sites happily.
Thing is ive now become the local browser compatibility guy in our office
and everyone keeps asking for help on their sites - well we live and learn.

I couldn't find any iFrames when I clicked around in IE 6 (Win2K). What
page(s) have them?




--__--__--

Message: 36
From: Chris Price <chris.price at stl.org>
To: "'thelist at lists.evolt.org'" <thelist at lists.evolt.org>
Subject: RE: [thelist] Searching for Visual HTML Editor for Novices
Date: Wed, 16 Jan 2002 09:03:50 -0000
charset="iso-8859-1"
Reply-To: thelist at lists.evolt.org

I use BBedit for my web editing partly because a WYSIWYG editor is not
suitable for our dynamic site.

I tried using my Dreamweaver a little while ago because the page I was doing
was stand alone and I didn't think it warranted me getting into the code.
But when I came to edit it, tags were flying all over the place and I fled
back to BBedit and good ol' html.

When we get editors to work work on text for print we get them to use simple
tags such as T# for title and S# for subtitle, import the text in .txt mode
and do find and replace to format it.

I would get someone to work in, say, Word; include tags; export as text
only; and then import it into something like BBedit (which has a powerful
search and replace).

Macromedia do a package called Homepage which is supposed to do what you're
asking but as it's for PC only I don't know what it's like.
--
Chris Price

> ----------
> From: John Kipling Lewis
> Reply To: thelist at lists.evolt.org
> Sent: Tuesday, January 15, 2002 15:03 PM
> To: thelist at lists.evolt.org
> Subject: [thelist] Searching for Visual HTML Editor for Novices
>
>
>
> I'm attempting to find a simple editor for webpages

_____________________________________________________________________
This message has been checked for all known viruses by UUNET delivered
through the MessageLabs Virus Control Centre. For further information visit
http://www.uk.uu.net/products/security/virus/


--__--__--

Message: 37
From: "Burhan Khalid" <burhankh at hotmail.com>
To: thelist at lists.evolt.org
Date: Wed, 16 Jan 2002 12:11:06 -0600
Subject: [thelist] www.deltasynergy.com
Reply-To: thelist at lists.evolt.org

Hey Frank :

Thought I'd check your site out http://www.deltasynergy.com to see about
your CSS tricks.

Ran into the following error (thought you'd like to know) :

  Line: 571
  document.images[..] is null or not an object

This error occured while rolling over the top menu. Items Home, Contact, and
Training, the rest seemed fine.

For the record, I'm on a Win98 machine, using IE6.0.

HTH,
Burhan

_________________________________________________________________
Join the world's largest e-mail service with MSN Hotmail.
http://www.hotmail.com


--__--__--

Message: 38
From: "spinhead" <evolt at spinhead.com>
To: "thelist" <thelist at lists.evolt.org>
Date: Wed, 16 Jan 2002 10:13:29 -0800
charset="iso-8859-1"
Subject: [thelist] skipping 'hx' levels is bad (was Re: icons for the tip
harvester (was Re: [thesite] Re: [***forum] page)
Reply-To: thelist at lists.evolt.org

[moved from elsewhere]

> >>also, can we skip <h2> and go right to <h3> from an <h1>?
> >>
> >
> > can we?  absolutely
>
>
> Well of course. People do it all the time.
>
>
> > should we?  that's arguable
>
>
> Not if we're going to set a good example. We need to maintain the
hierarchy.
>
>
> > the pros/cons of the argument might make for a good article, eh?
>
>
> Using evolt.org as a good example of why you always should. :)
>
>
> > i have yet to find a definitive resource on the web that explains to me
> > clearly why skipping a level is "bad"

How will text readers react to improperly nested outlining?

Would this break if you were building the page dynamically from a db, with
xml, whatever?

(More below Mr. McCreath's excellent comments)

>
>
> If you find yourself wanting to skip from <h1> to <h3>, then you need to
> examine your writing. There's probably an <h2> that should be put
> between the two, even if it's just one sentence, or in the case of what
> I'm doing on the mock up, just the header itself.
>
> Alternatively, your orphaned <h3> section could be moved up in the
> hierarchy.
>
> Of course, that's a very strict interpretation, both in terms of writing
> and layout, but since HTML was intended to mark up written
> documentation, I stand by that interpretation. YOMV (your opinion may
vary).
>
> David
>

It's not just a code/web/standards issue, it is, as David points out, a
writing issue. Fair warning; if no one beats me to it, this article's mine.

joel


--__--__--

Message: 39
From: "rudy" <r937 at interlog.com>
To: <thelist at lists.evolt.org>
Subject: Re: [thelist] skipping 'hx' levels is bad
Date: Wed, 16 Jan 2002 13:24:48 -0500
charset="iso-8859-1"
Reply-To: thelist at lists.evolt.org

> [moved from elsewhere]

thanks joel, thelist is probably a better venue for this discussion

(note to the curious:  this thread started on thesite, one of the other
evolt.org discussion lists)



> Of course, that's a very strict interpretation...

perhaps not strict enough

> ... both in terms of writing and layout, but since HTML
> was intended to mark up written documentation, I stand
> by that interpretation.   YOMV (your opinion may vary).

indeed

lemme ask you, does your interpretation allow P text inserted "in between"
these heading levels, like an introductory paragraph?

   <h1>stooges</h1>
   <p>introductory comments, a page and a half</p>
   <h2>curly</h2>
         <p>stuff about curly</p>
   <h2>larry</h2>
         <p>stuff about larry</p>
   <h2>moe</h2>
         <p>stuff about moe</p>
   <p>wrapup comments</p>

since you are a markup fanatic, tell me where that last paragraph gets
parsed in the document hierarchy

now tell me how to fix it so that it's as "pure and semantically correct"
as not skipping an H level


YOMNCM  (your opinion may never convince me)

;o)


rudy


--__--__--

Message: 40
From: "spinhead" <evolt at spinhead.com>
To: <thesite at lists.evolt.org>, "thelist" <thelist at lists.evolt.org>
Date: Wed, 16 Jan 2002 10:22:40 -0800
charset="iso-8859-1"
Subject: [thelist] skipping hx levels (was Re: icons for the tip harvester
(was Re: [thesite] Re: [***forum] page)
Reply-To: thelist at lists.evolt.org

>    <h1>stooges</h1>
>    <p>introductory comments, a page and a half</p>
>    <h2>curly</h2>
>          <p>stuff about curly</p>
>    <h2>larry</h2>
>          <p>stuff about larry</p>
>    <h2>moe</h2>
>          <p>stuff about moe</p>
>    <p>wrapup comments</p>
>
> since you are a markup fanatic, tell me where that last paragraph gets
> parsed in the document hierarchy

It is the first paragraph at the 'root' one level above h1. But you
shouldn't have anything there; if we're following the hx format strictly
(which I realize you didn't say you were) the conclusion would be either
another h2 or the last h1; probably the latter.

(pssst; wanna talk about this over on thelist?)

>
> now tell me how to fix it so that it's as "pure and semantically correct"
> as not skipping an H level
>
>
> YOMNCM  (your opinion may never convince me)

You rebel!

(That's a pejorative, pronounced 'REB-ul' not a command, pronounced
'ruh-BEL')

joel

>
> ;o)
>
>
> rudy
>
>



--__--__--

Message: 41
From: ".jeff" <jeff at members.evolt.org>
To: <thelist at lists.evolt.org>
Subject: RE: [thelist] The URL SemiColon Exploit
Date: Wed, 16 Jan 2002 10:29:04 -0800
charset="us-ascii"
Reply-To: thelist at lists.evolt.org

matt,

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Warden, Matt
>
> <cfquery name="foo" datasource="#bar#>
> SELECT foo, bar
> FROM fubar
> where rudy=#url.rudy#
> </cfquery>
>
> Looks harmless, right?
>
> If the URL is http://mydomain.com/hax0rz.cfm?rudy=12
> then foo's SQL would be:
>
> SELECT foo, bar
> FROM fubar
> where rudy=12
>
> Like I said, harmless, right?
>
> Well, consider a URL like this:
>
> http://mydomain.com/hax0rz.cfm?12;DROP%20TABLE%20fubar
>
> Now, foo's SQL would be:
>
> SELECT foo, bar
> FROM fubar
> where rudy=12;DROP TABLE fubar
>
> a semicolon separates sql statements, so this is
> really two statements:
>
> SELECT foo, bar FROM fubar where rudy=12
> DROP TABLE fubar
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

this is easily solved in this instance by wrapping the variable with the
Val() function which will force the value to a number.

<cfquery name="foo" datasource="#bar#>
  SELECT foo
       , bar
    FROM fubar
   WHERE rudy = #Val(url.rudy)#
</cfquery>

now foo's sql, for either of the url's above, would be:

  SELECT foo
       , bar
    FROM fubar
   WHERE rudy = 12

fwiw, this isn't an issue, in most cases, with queries that use string
values rather than numeric values.  that's because cf server automatically
escapes single-quotes by doubling them up and thereby making the hacked sql
in the passed string part of the text value.  take this query as an example:

<cfquery name="foo" datasource="#bar#>
  SELECT foo
       , bar
    FROM fubar
   WHERE rudy = '#Trim(url.rudy)#'
</cfquery>

now suppose we were referencing it via a url like so:

http://mydomain.com/hax0rz.cfm?rudy=r937

the resulting sql would be:

  SELECT foo
       , bar
    FROM fubar
   WHERE rudy = 'r937'

let's say a script kiddie was going to try to drop the fubar table by
messing with the url and ending up with something like one of these:

http://mydomain.com/hax0rz.cfm?rudy=r937;%20DROP%20TABLE%20fubar

will result in:

  SELECT foo
       , bar
    FROM fubar
   WHERE rudy = 'r937; DROP TABLE fubar'

which is harmless.

or (notice the lone single-quote in the url):

http://mydomain.com/hax0rz.cfm?rudy=r937';%20DROP%20TABLE%20fubar

will result in:

  SELECT foo
       , bar
    FROM fubar
   WHERE rudy = 'r937''; DROP TABLE fubar'

which is also harmless.

so, the lesson to be learned is that so long as you write tight code and
enforce expected datatypes, you shouldn't have any problems with the
semi-colon exploit.

good luck,

.jeff

http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/




--__--__--

Message: 42
Date: Wed, 16 Jan 2002 12:27:06 -0600
To: thelist at lists.evolt.org
From: Ben Dyer <ben_dyer at imaginuity.com>
Subject: [thelist] Important for the Laid-off Americans
Reply-To: thelist at lists.evolt.org

Remember, those of you American designers and developers who have been
unfortunate enough to have had their company close down on them this past
year, be careful when you go to fill out taxes this year:

<http://www.zdnet.com/zdfeeds/msncobrand/news/0,13622,5101713,-hud00025nsab,
00.html>

--Ben


<tip type="ColdFusion" author="Ben Dyer">

If you have a situation where you need to strip out all tags from a block
of text in ColdFusion, you can use a regular expression to remove them
all.  Like so:

<CFSET new_block = REReplaceNoCase(Form.original_block,"<[^>]*>","","all")>

</tip>


Ben Dyer, Senior Internet Developer, Imaginuity Interactive
http://www.imaginuity.com/
-----------------------------------------------------------------
   http://members.evolt.org/OKolzig37/     http://www.evolt.org/




--__--__--

_______________________________________________
Help: http://lists.evolt.org/mailman/listinfo/thelist

Archives: http://lists.evolt.org

End of thelist Digest





More information about the thelist mailing list