drupal XSS filtering removes unrecognized tags

By david | Published: January 21, 2012

So I just installed drupal 7.10 and am playing around with it a bit.  I changed my site name to david->writes(‘<drupal>’);.  What I got was david->writes(”);.  I got the same thing when trying to post this message to the drupal forums, as I figured I might.  So I manually escaped it.  I figured the validation was removing the <drupal> “tag”, so I found where this takes place in the_filter_xss_split function in includes/common.inc.

If the text looks like a tag, but is not one of the listed supported tags, an empty string is returned. Seems a little lazy really. So, on line 1411, I changed the

return '';

to

return '&lt;'.$elem.'&gt;';

Anyway, my site name shows up correctly now.

I haven’t tested this thoroughly, but I don’t see how it would cause a problem. It’s just a little escape action.

Has anyone else seen this and fixed it? Anyone see any potential problems? Other comments?

P.S.  View the forum conversation here:  http://drupal.org/node/1412910

Posted in Drupal | 1 Comment

JSON-style Cascading Style Sheets

By david | Published: August 19, 2011

So, it’s kind of the way of the world that when I have a good idea and start focusing my energies on fully hashing out and refining that idea, I find that somebody else has shared that idea and is already (sometimes only somewhat) implementing it.  Today’s example is what I might call JSON-style CSS.

After looking at much of my CSS code and going, “Man, this would be simpler if I didn’t have to duplicate some of these selectors.”  To see what I mean, check out the following code (and yes, I am a fan of the single-line CSS rule):

#cfgfile-controller table {margin: auto;}
#cfgfile-controller label.gateway, #cfgfile-controller input[type="text"].gateway {width: 144px;}
#cfgfile-controller label.subnet-mask, #cfgfile-controller select.subnet-mask {width: 84px;}
#cfgfile-controller label.gateway, #cfgfile-controller label.subnet-mask, #cfgfile-controller label.port, #cfgfile-controller label.dest, #cfgfile-controller label.protocol {display: inline-block; float: none; margin: 0 auto; padding: 4px; text-align: center;}
#cfgfile-controller label.gateway {margin-left: 206px;}
#cfgfile-controller label.port, #cfgfile-controller input[type="text"].port {width: 48px;}
#cfgfile-controller label.dest, #cfgfile-controller input[type="text"].dest {width: 240px;}
#cfgfile-controller label.protocol, #cfgfile-controller select.protocol, #cfgfile-controller select#acctste {width: 72px;}
#cfgfile-controller .additional-info {line-height: 1.75; margin: auto; white-space: normal; width: 282px;}

I wrote this stuff in the main CSS file of a fairly large hand-written project. The project had a number of controllers, and for some of those, I wanted to tweak just a few things about the presentation. I had a few options to resolve this problem:

  • I quite possibly could rely on just the class names (gateway, subnet-mask, etc.) to handle these, but there are a few other controllers with similar elements that I did NOT want styled this way.
  • I could create a totally separate CSS file that was included only when the controller I wanted to target was the one being called.  I actually started off this way, but determined I’d be much better off performance-wise going with the solution I chose.
What I would like to do is somewhat more of a JSON-style CSS sheet.  If you look at CSS, it kind of resembles JSON already…. Kind of.  I think a better solution to my problem would have been if I could do something like this:
#cfgfile-controller {
	table {margin: auto;}
	label.gateway, input[type="text"].gateway {width: 144px;}
	label.subnet-mask, select.subnet-mask {width: 84px;}
	label.gateway, label.subnet-mask, label.port, label.dest, label.protocol {display: inline-block; float: none; margin: 0 auto; padding: 4px; text-align: center;}
	label.gateway {margin-left: 206px;}
	label.port, input[type="text"].port {width: 48px;}
	label.dest, input[type="text"].dest {width: 240px;}
	label.protocol, select.protocol, select#acctste {width: 72px;}
	.additional-info {line-height: 1.75; margin: auto; white-space: normal; width: 282px;}
}

I do think even this could be simplified (maybe put all the identically-classed labels on one line or something), but I think this is much easier to read. It also eliminates 18 calls to the #cfgfile-controller selector. That’s a savings of 345 characters (970 – 625). Apply this concept to an entire style sheet and you can come up with some pretty cool stuff.

As I mentioned in the beginning, sometimes when hashing out these ideas, I find they’ve already been thought up. For more info, check out LESS. It uses the exact notation I’m describing, but requires compiling into standard CSS. I think CSS should handle this type of notation on its own… CSS4 anyone?

Posted in CSS | Tagged | Leave a comment

Not every manager CAN be a CLO

By david | Published: September 2, 2010

Saw a post earlier with the following thesis:

“In this era when markets and workplaces are conversations, every manager should be a ‘chief listening officer.’”

Disagreed.

Most managers’ energies should be spent focusing on managing workplace conditions or affecting the company’s standing in the marketplace.  Keeping eyes and ears open to changing conditions is obviously a must, but we cannot all constantly just sit and listen.  We must act.  With a “chief listening officer,” there can be one who is constantly, actively searching for feedback–even in the most hidden places. He/she can then aggregate and filter this feedback into a more manageable form for the other managers, allowing them to perform their job more efficiently, acting as necessary.

Posted in Uncategorized | Leave a comment

Quit complaining and get to work

By david | Published: August 28, 2010

When people don't have enough to do, they have plenty of time to
complain about others who could do more. Quit complaining and talking
about others. If you're bored, find something productive to do.

Posted in Uncategorized | Leave a comment

Did you ever pass anything with 16%?

By david | Published: May 23, 2009

Reading a little Daniel Dennett here, I find he raises a good point. No matter which religious choice you make, MOST people disagree with you.

This is easily proven by looking at some simple statistics. A search for “largest religion in the world” quickly reveals that Christianity is the most adhered-to religion in the world. It ensnares roughly 2.1 billion people* in a world of roughly 7 billion. That’s right at 30%. I’d say that’s a close enough estimate to support my case, especially considering I’ve used the highest number I could find for Christian adherence.

Now, before continuing, let’s consider something else. That 2.1 billion includes ALL Christian denominations: Catholic, Protestant, Eastern Orthodox, Pentecostal, Anglican, Monophysite, African Initiated, Latter-day Saints, Evangelical, Seventh-Day Adventist, Jehovah’s Witnesses, Quakers, Assembly of God, and other nominal denominations. All in all, it’s reported there are over 38,000 different denominations.

So, even between the Christian faith, there is much division, and the percentage that agrees with you shrinks. Again, let’s go with the biggest faction: Roman Catholicism–claiming roughly 1.115 billion people as of 2007. We’re down to a generous 16%. Assuming we don’t dive any deeper into divisions and differences, we can rightfully deduce that AT LEAST 84% of the world is wrong about religion.

Why does this matter? What follows? Does this mean that those who are “educated” and know the right religion need to work harder at converting people? I think we all know MY answer to that. I think we need to step back at look at what this means for the religious.

I’m certainly not going to tell you that AT LEAST five out of six people disagree with you, NO MATTER WHAT YOU BELIEVE, so you should ditch your religion. That shouldn’t persuade you to change. Those same five out of six disagree with me, too.

But here’s the difference. You believe in a god who supposedly created and loves us and doesn’t WANT to send us to Hell, but will if he has to. The easiest way to be sent to Hell is to not believe in this god. At least five out of six people don’t believe in “it,” and are therefore going to Hell. My question is this: if “it” loves us so much, why are AT LEAST 84% of us going to Hell?

If we can imagine a school subject that god has to study and we call it “Making my own beloved creation believe I exist so they may share my kingdom with me for eternity as I intended when I created them because I love them so much because they are my creation/children,” I think it is safe to say that god fails miserably. I’ve never passed anything with 16%. If god is all-knowing and all-loving, he certainly doesn’t know how to show how much he loves his “children.” Better get on that, buddy.

*Wikipedia claims only 1.5 billion, giving a percentage closer to 21.4%

UPDATE: I realize this post is not a GREAT argument according to the rules of logic and would not prove or disprove anything scientifically. It is meant merely as a thought exercise as it began as a simple status update, and became much more as I hopped on this particular train of thought.

Posted in atheism | Leave a comment

Friends

By david | Published: May 11, 2009

So, I was on the way back from the Green Day Cafe. Walking gives me plenty of time to think, as if I need it. But I appreciate these things. Thoughts seem to hit me in flashes usually. This makes it harder to express them because they’re gone before I can get words together. But sometimes, I’m able to hold on to them and expand and mold them. The thoughts that came today have been there before, but they’re always a little different. This time, I decided I should capture them. What else is a blog for right?

What started it was a “pat on the back” thought from myself. This was not a voluntary “pat on the back” thought. Every once in a while, my mind will praise itself for dealing with life so well. This is self-perpetuating and motivational. It’s a kind of mechanism to tell itself, “Hey, you’re doing pretty well. Keep smiling. That’s what matters.” Of course, it has to give itself evidence to be credible, and that was the meat of the thoughts. That’s where the thoughts came to surface and I played with them. You are now done reading the introduction.

After that quick flash of motivation, I began to run through the things I’ve dealt with over the last year. I thought, “Look at all I’ve lost.” And I began to enumerate my losses. This was not an exercise in self-pity, mind you. Self-pity is negative. It leads to more loss which leads to more self-pity. It, too, is self-perpetuating. The Eeyore effect, if you will. I always make sure to keep myself from tumbling down that spiral staircase. This was also not an exercise in egotism, as I made sure to keep in mind that MANY people have it worse than I do. Many people have taken less and made more of it, I’m sure. They are inspiring, and I kept them in mind instead of the people on the other side of the spectrum. The people who aren’t doing as well I could, at any point, turn it around and end up ahead of me. So I take neither groups for granted. They are all people doing the same thing as I am–living. So, disclaimers aside, I began to enumerate my list.

In the past year, I’ve lost:
more money than I want to know
great credit
a few girls
a decent job
a nice apartment
my license
my freedom
18 days
my motorcycle
an uncle
a grandfather
my mother
(probably a few other little things I forgot)

After I thought of a few things here, my mind immediately shifted, as it always tends to do, to the positive. My first thought was friends. I have not lost any friends in the past year that I did not want to lose (save for a few girls I’m sure I pissed off). I would say I’ve even gained on the friend front, in quality and quantity. The point is, the people that mattered most are still here. I will always thank them for that. And I will always forgive anyone who decides I’m a bit too much. I know, I do it on purpose. ;-) I also, of course, thought of family, but I leave them out of here along with the multitude of other things I have gained or kept because I’m here to write a blog, not a book.

So, if you’re reading this (as you undoubtedly are right now), thank you. You’ve shown enough interest just to find this tucked-away little piece of me and continue to read. I appreciate that.

Thanks,
David

Posted in Uncategorized | Tagged , | Leave a comment

A little comment I posted on another blog

By david | Published: May 7, 2009

The following is a comment I posted on a WordPress blog. It got a little lengthy for a comment and I thought I’d share it here. The original blog can be found at http://thebeattitude.com/2009/04/06/what-were-the-words-of-jesus-right-before-entering-jerusalem-on-a-donkey/#comment-1253

OK. I know I’m kind of late on this one, but I just wanted to post a few of my own thoughts here before I forget. They might serve better in a Christian forum to stir up more of a reaction, but it seems there is at least of modicum of opposition to the author of this blog. So, merely to incite reaction and thought, I ask a question.

If he was god (or the SON of god), why didn’t he come up with at least one or two things that aren’t so damn vague? What gives with all the parables and beating around the bush? Here’s what could make me believe. If somebody could find where he was sitting at dinner or laying in the bed with lil’ old Mary and said, “Ya know, in the 1980’s they’re gonna find out about this REALLY horrible virus my dad gave em. There’s no cure. They’ll look forever, dad help em. But they’re screwed. I tried ta warn em bout them homosexuals.,” then I might look a little closer. Or maybe just simply, “Watch out for Hitler. That guy’s a real dick.”

But no, we never get anything specific. Just like every other “prophet”, he speaks in code. Why do they have to prove they know everything by telling us nothing? It seems bass-ackwards to me, and I’ll have none of it. To hell with your “prophets.” ….. or wherever they might be stuck that I don’t have to hear from them.

Out,
David

P.S. Yes, I decapitalize god. I don’t believe in a god and therefore do not wish to name one. (Thank you C. Hitchens)

Posted in atheism | Tagged , | Leave a comment

My First Blog

By david | Published: April 17, 2009

I’m new to this blogging thing, but lately I’ve been really interested in “becoming a cloud.” I’ve always been a nerd, but have been somewhat opposed to trends. But this is the way the world is going. Everything is becoming connected. It accelerates every day. Twitter, for example, is seeing membership increase percentages in the thousands. So, to join in, and take full advantage of the capabilites of this new Web 2.0 experience, I’d like to get all of my “stuff” out on the net. This seems convenient for a number of reasons. 1) If you’re stuff is on the net, you’re already backed up (hopefully). I have taken some precautions and made accounts with two different companies for some things (mainly pictures and documents). 2) If you’re stuff is on the net, you don’t need to take it with you. If I have a bunch of pictures I want somebody to check out, I have them take a look at my Picasa. Want to see my videos? Go to Youtube. My friends are on Facebook and MySpace. I join the world on Twitter. I read the news on Digg or Reddit or Stumbleupon or /…. ;-)

Computing is changing. Web browsers are the new operating systems. More and more, we’ll see OS developers shy away from bloatware and extra features to a more minimalist approach, focusing on three main things: speed, security and a nice web browser. Competition for the future computer user will be driven by getting him/her a simple, secure, and feature-rich web browser with which to view the world. Why worry about a nice software package when I can go to the web for anything I need already? Half a G for MS Office you say? How about I save that money, time installing, AND hard drive space and just go to docs.google.com? Outlook? Gmail. Paint, Photoshop? Picnik.com Remember the days of Microsoft Encarta? HA! Yea, like we need THAT anymore. Want some music? Create your own stations at Pandora. These are all free! And keep in mind, you’ll never get a message saying “You’re program is out of date.” Nice. And it keeps getting better. And I hope you don’t think these options are the only or last in this movement. This is just a (very) quick run through of a few of the programs I use.

Listen, I’d consider myself a pretty smart guy. I have this vision of where the internet is going, and I think it’s pretty phenomenal. But I’m nowhere NEAR the forefront of this thing. Like I said earlier, I’m just now giving in to some of it. Why didn’t I before? Laziness. An unwillingness to subject myself to the complexities of owning 70 different accounts for different services. I still don’t like the idea. I’m very OCD when it comes to my name being “out there.” Changing my e-mail address was what started it all. As soon as I did, I realized I knew EXACTLY who has that address, and I started keeping track of who I gave it to. This empowered me to give it out a little more. I use that one e-mail address for all the services I WANT, and everybody else gets a fake. This demonstrates one of the pitfalls of the massive internet community. Everybody wants you to sign up with them. Give them your e-mail and set a password and you can do what you want. Until then, you’re window shopping. I’ve done a little reading and this too seems to be an issue soon to be dealt with. With sites like OpenID, I soon won’t have to go through this hullabaloo. I create an ID, pass it to a site, and I’m in. No muss, no fuss, I go where I want and I do what I want. As soon as ideas like this and others catch on a little more, we’ll definitely be seeing more and more people enjoy the freedom and power of the web. They have to, cuz I said so.

One more thing. I’ve got one of these cool jump drives that has the software loaded on it. I added two browsers: Opera and Firefox. I wish they were a little more up-to-date and that there was a Google Chrome for this thing, but this is one of the coolest ideas. As I use one of these two to browse the web, my session is on my jump drive and NOT my hard drive. This means when I go to school or work, my internet goes with me. All my open tabs are open. My bookmarks are there. My e-mail and RSS readers are set up. What was that page I was at yesterday? Check my history. It’s really cool. I like it a lot.

Anyway, that’s it for a first blog. I gotta cut this thing off somewhere. I only planned to write a sentence or two. As a disclaimer, I’d like to say that is my first blog. I don’t typically type this much out to the world. Hell, on most sites with profiles where I’m asked “about me,” I usually put “I’ll fill this in later.” So, you’ll have to excuse me if I haven’t quite chosen my blogging voice. I will after I give myself some feedback later.

So, as a developer, in the spirit of all that is programming, I say:

Hello, World!

Later,
David

Posted in Uncategorized | Tagged , , , , | Leave a comment

  • View David Watson's profile on LinkedIn