Comments Moved to Right

luckylace222 · Posted: Mon Jan 16, 2012 4:34 pm Post subject: Comments Moved to Right

After commenting on a new user's page, my comment was moved snugly to the right. Is there a reason for this format? Everyone else's comment format is the same, just not this one.

http://img193.imageshack.us/img193/3012/74727551.png
_________________
[size=10]“Far better is it to dare mighty things, to win glorious triumphs, even though checked by failure...than to rank with those poor spirits who neither enjoy much nor suffer much, because they live in a gray twilight that knows not victory nor defeat.” ~Theodore Roosevelt [/size]

cstdenis · Posted: Mon Jan 16, 2012 5:35 pm Post subject:

Bad HTML in the blog post is breaking the layout.
_________________
You will obey or molten silver will be poured into your ears.

Stratadrake · Posted: Mon Jan 16, 2012 8:00 pm Post subject:

Wow. How did that happen ... and how do we prevent it? (Better bbCode parsing for one, but still.)

Aha. This is using an external blog feed, and the excerpt processing cut it off right in the middle of an HTML tag -- mid-CSS in fact:

[code:1]

<div class="box"><div class='boxheader' style='clear:both'>Blog (<i><a href=http://luphasiadrama.blogspot.com/>More</a></i>)</div>
<div class="boxbody">

<div class="separator" style="clear: both; text-align: center;"><img border="0" height="400" width="343" src="http://1.bp.blogspot.com/-yPp-RvH900U/Tp7vcoiaV8I/AAAAAAAACWU/x7bs_azjxOg/s400/TKQfe.jpg" /></div><br /><br /><span style="color: rgb(175, 238, 238);"><blockquote><img src="http://dl6.glitter-graphics.net/pub/440/440576q8wrax7se2.gif" width=13 height=12 border=0> Description: Track 5<br /><img src="http://dl6.glitter-graphics.net/pub/440/440576q8wrax7se2.gif" width=13 height=12 border=0> Album : THE BOYS<br /><img src="http://dl6.glitter-graphics.net/pub/440/440576q8wrax7se2.gif" width=13 height=12 border=0> Vocal : Girl's Generation (소녀시대)</blockquote></span><br /><br /><center><div style="overflow:auto;width:450px;height:500px;padding:0px;border:1px dashed #8FD6F2"><table border="0" width="420"><tbody><tr bgcolor="#81D7F4"><td align="center">Romanization</td><td align="center">Hangul</td><tr align="left"><td align="right"><span style="color: rgb(255, 153, 204);font-si </div>
</div>

[/code:1]

This bug can be isolated to /feed.php.inc, line 36 where it uses a plain substr() to chop the article text off at a certain point without regards for HTML or CSS validity.

Damn . . . this is NOT going to be an easy fix.
_________________
Strata here: [url=http://www.nanowrimo.org/eng/user/242293]Nanowrimo[/url] - [url=www.fanart-central.net/user-Stratadrake.php]FAC[/url] - [url=http://stratadrake.deviantart.com]dA[/url] - [url=www.furaffinity.net/user/Stratadrake/]FA[/url]
[size=9]Disclaimer: Posts may contain URLs. Click [url=http://tvtropes.org/pmwiki/pmwiki.php/Main/TVTropesWillRuinYourLife]at your own risk.[/url][/size]

cstdenis · Posted: Mon Jan 16, 2012 9:24 pm Post subject:

Doing a clean substring on a block of html code is never going to be easy....

I think there is also the potentially serious problem of these blog feeds can be a serious security problem in terms of XSS/XSRF/JS injection.

New site version does not implement this feature (just local blogs). I think for security reasons, it may be necessary to keep it that way -- just link to the external blog instead.

There are ways to work around it somewhat, but they of course come with their own issues and are not necessarily perfect.
http://www.yiiframework.com/doc/api/1.1/CHtmlPurifier
_________________
You will obey or molten silver will be poured into your ears.

Stratadrake · Posted: Tue Jan 17, 2012 8:00 am Post subject:

So what do we do? You're right, this has serious potential for HTML abuse.
_________________
Strata here: [url=http://www.nanowrimo.org/eng/user/242293]Nanowrimo[/url] - [url=www.fanart-central.net/user-Stratadrake.php]FAC[/url] - [url=http://stratadrake.deviantart.com]dA[/url] - [url=www.furaffinity.net/user/Stratadrake/]FA[/url]
[size=9]Disclaimer: Posts may contain URLs. Click [url=http://tvtropes.org/pmwiki/pmwiki.php/Main/TVTropesWillRuinYourLife]at your own risk.[/url][/size]

cstdenis · Posted: Tue Jan 17, 2012 12:37 pm Post subject:

Short term -- probably nothing, unless it starts to get abused.

Long term -- drop the blog feed feature.
_________________
You will obey or molten silver will be poured into your ears.

Stratadrake · Posted: Tue Jan 17, 2012 7:40 pm Post subject:

In other words, give it a kill switch. Can do.
_________________
Strata here: [url=http://www.nanowrimo.org/eng/user/242293]Nanowrimo[/url] - [url=www.fanart-central.net/user-Stratadrake.php]FAC[/url] - [url=http://stratadrake.deviantart.com]dA[/url] - [url=www.furaffinity.net/user/Stratadrake/]FA[/url]
[size=9]Disclaimer: Posts may contain URLs. Click [url=http://tvtropes.org/pmwiki/pmwiki.php/Main/TVTropesWillRuinYourLife]at your own risk.[/url][/size]