Preview does not match post December 20, 2001 4:40 PM Subscribe
This post had a white background when I previewed it (like this one still does), but it disappeared when I posted it. Shouldn't "Preview" mean "show me what I'll get if hit Post now"?
The HTML filter appears to have elided the "style=" and quote marks from the tag.
The HTML filter appears to have elided the "style=" and quote marks from the tag.
This happened to me a couple of days ago with title attributes. The act of previewing the post stripped off the quotes, so only the first word showed on mouseover.
On second thought, I bet you have to preview *twice* for it to kick in. I seem to recall previewing, making some changes, previewing again, then posting.
posted by gleuschk at 5:04 PM on December 20, 2001
On second thought, I bet you have to preview *twice* for it to kick in. I seem to recall previewing, making some changes, previewing again, then posting.
posted by gleuschk at 5:04 PM on December 20, 2001
Not allowing a poster to change the background of the entire page seems like a positive feature, not a bug. (unless there's something I'm not picking up here)
posted by skwm at 5:17 PM on December 20, 2001
posted by skwm at 5:17 PM on December 20, 2001
The tag was to change the background of an image to white, not the whole page. Instead, the image background ended up all blecherous and transparent.
posted by youhas at 5:30 PM on December 20, 2001
posted by youhas at 5:30 PM on December 20, 2001
Jeez, I have to go out and buy a $600 piece of software to do something in five minutes that CSS would let me do in five seconds?
Actually, though, the bug I'm reporting isn't the filtering of the style attribute, it's the fact that Preview and Post are rendering the comment differently, which is not very user-friendly.
And my real point is that the same code that renders the Post HTML from the URL-encoded form data should be called to render the Preview.
posted by nicwolff at 6:45 PM on December 20, 2001
Actually, though, the bug I'm reporting isn't the filtering of the style attribute, it's the fact that Preview and Post are rendering the comment differently, which is not very user-friendly.
And my real point is that the same code that renders the Post HTML from the URL-encoded form data should be called to render the Preview.
posted by nicwolff at 6:45 PM on December 20, 2001
Posting images shouldn't be a common thing anyway, should it?
posted by timothompson at 7:20 PM on December 20, 2001
posted by timothompson at 7:20 PM on December 20, 2001
Posting images shouldn't be a common thing anyway, should it?
I tend to agree, in general. The topic has been promoted to a thread by owillis here if you have an comment about it.
posted by stavrosthewonderchicken at 8:15 PM on December 20, 2001
I tend to agree, in general. The topic has been promoted to a thread by owillis here if you have an comment about it.
posted by stavrosthewonderchicken at 8:15 PM on December 20, 2001
Posting images shouldn't be a common thing anyway, should it?
All the more reason to do it right when it's done.
posted by markpasc at 8:19 PM on December 20, 2001
All the more reason to do it right when it's done.
posted by markpasc at 8:19 PM on December 20, 2001
And my real point is that the same code that renders the Post HTML from the URL-encoded form data should be called to render the Preview.
This bugs me too. For instance,I'm afraid to use <blockquote>, because in preview it looks like it breaks the page, even though I understand everything turns out alright once you post it.
posted by mattpfeff at 8:24 PM on December 20, 2001
This bugs me too. For instance,I'm afraid to use <blockquote>, because in preview it looks like it breaks the page, even though I understand everything turns out alright once you post it.
posted by mattpfeff at 8:24 PM on December 20, 2001
Using CSS, a few users here showed you can hack an entire page, setting body copy to 250px purple fonts, you can wipe out graphics, etc.
I had to lessen some of the open security holes (there are still many more to tackle), so style, embed, script, and link tags are out now.
I only run the code filter on submission, but could do it during preview as well.
posted by mathowie (staff) at 10:27 PM on December 20, 2001
I had to lessen some of the open security holes (there are still many more to tackle), so style, embed, script, and link tags are out now.
I only run the code filter on submission, but could do it during preview as well.
posted by mathowie (staff) at 10:27 PM on December 20, 2001
But there's a difference between the style element and the style attribute, which is what Nic is asking about (right?). I think it's a shame to (essentially) turn off CSS altogther, as opposed to limiting the extent of its effects. The style attribute is limited in scope to the element it's in. A malicious user could mess up a large part of a page by adding CSS to an unclosed DIV, I suppose, but he/she could do that without the CSS anyway.
posted by rodii at 10:34 PM on December 20, 2001
posted by rodii at 10:34 PM on December 20, 2001
rodii, you have to kill both the style element and the style attribute.
Otherwise, people can do something like this:
<b style="hack friendly code here">foo</b>
Remember that fiasco Kottke had with his comment system? That was after he took out the style tag, people were hacking the site using just the style element.
posted by mathowie (staff) at 10:54 PM on December 20, 2001
Otherwise, people can do something like this:
<b style="hack friendly code here">foo</b>
Remember that fiasco Kottke had with his comment system? That was after he took out the style tag, people were hacking the site using just the style element.
posted by mathowie (staff) at 10:54 PM on December 20, 2001
rodii: The style attribute is limited in scope to the element it's in.
Let us not forget absolute positioning, among other things.
posted by gleemax at 8:04 AM on December 21, 2001
Let us not forget absolute positioning, among other things.
posted by gleemax at 8:04 AM on December 21, 2001
Point taken. Still, it's a shame to lose so much expressive power because J. Random Butthead can't keep his CSS zipped.
posted by rodii at 6:21 PM on December 21, 2001
posted by rodii at 6:21 PM on December 21, 2001
Well, it should be possible to let some style declarations through (background-color, color, etc.) and filter others (padding, margin, position, etc.), but the more complex the system is the more loopholes there will be.
posted by Nothing at 11:02 PM on December 21, 2001
posted by Nothing at 11:02 PM on December 21, 2001
Wouldn't the bigger problem be the server resources that would take?
posted by gleemax at 1:58 AM on December 22, 2001
posted by gleemax at 1:58 AM on December 22, 2001
You are not logged in, either login or create an account to post comments
posted by nicwolff at 4:47 PM on December 20, 2001