OY!

[blufive]

LJ have just tweaked their HTML/CSS cleaner, according to the support page. In the process, they drove cart and horses through my carefully hand-crafted S1 style here. It may take come time to sort it out. If anyone can point me at a list of what exactly this new beastie is twitchy about, it could make my life a lot easier; otherwise I'm going to have to reverse-engineer things to work out what is and isn't allowed.

While they have some legitimate concerns* I think they're currently stripping stuff that's pretty harmless. For example, how the hell can <style type="text/css"> be malicious?

Well, at least it proves that my "graceful degradation" works as intended...

*there are some downright terrifying browser-specific features out there, from the perspective of defending against cross-site scripting attacks.

[edit: there was a post on the subject on lj_maintenance shortly after a wrote this. I think I'll wait a day or two for things to settle down before I attempt to clean up. I mean, it's not like many people read this journal in the native style, rather than via their own LJ-friends view or some other aggregator]

Comments

[blufive.livejournal.com]

Yeah, I saw the generated source and figured out that the import was getting stomped.

However, my first attempt to fix things involved simply inlining the style sheet inside style tags, at which point it stripped out the type="text/css" attribute, which I reckon is a tad harsh. Ok, if it was type="application/exe" or similar, they'd have a point, but text/css? Ouch. I think something else was getting trimmed, too, but I didn't have time to poke, so I just put it back to "ugly but functional" until I've got time to investigate properly. (Which may be a day or several)

I was using @import as a crude filter to hide the style from browsers that would make a complete dogs' breakfast of it (NN4 and the like). Oh well, no one (that I care about*) uses those anymore, so I'll give the link approach a go and see if it can cope with remote stylesheets that way. Failing that, I'll have to go back to inline and see if the fix to over-zealous trimming that yonmei referred to has helped any.

I can probably figure things out, given an hour or two, but it's a PITA (especially without documentation). Ho hum.

(Also, having done tech support myself, I appreciate that you're one of the poor saps stepping in (voluntarily!) to try to help after someone else did this, and your assistance is appreciated)

*If you're still using NN4, I don't care what it looks like. Just about every platform going has a better browser available, with a veritable menagerie on the more popular platforms.

[blufive.livejournal.com]

Arg. Must use preview more/better. That footnote was meant to be labelled as a browser-weenie rant. Sorry.

[tinyjo.livejournal.com]

Completely agree about NS4 :) Also IE for Mac. Just, why????

Anyway. Forgot to reply to this for ages but just wanted to say thanks for the acknowledgement - we had so many people spitting blood over it that it's really nice for someone to just say "oh bother, how awkward but I can see why you're doing it" Yay for reasonable people :)

[blufive.livejournal.com]

IE5 for Mac was revolutionary in its day - the first browser to implement a "standards"/"quirks" mode switch, the first MS browser to get the box model right. Mentioning it in the same breath as NN4 is harsh. But, yeah, it's a fossil, and Mac people now have better browsers.

Like I said, I've done tech support, so I have some idea what it's like to be the poor soul jumping into the breach to handle front-line support after someone shafted the world - you can do without users yelling at you (though I'm sure you had a plentiful supply).

I'm also moderately in touch with browser development/security, and develop web applications professionally, so I'm aware of the need, sometimes, to just plug the hole FAST and deal with the fallout later...

While I'm not up to speed on the precise ins and outs, I know enough of the background to be sure that the LJ developers weren't jumping at shadows - if remote stylesheets can attach javascript, all hell breaks loose when users have the level of control they do here.