OY!

2006-02-08 09:02
blufive: (Default)
[personal profile] blufive
LJ have just tweaked their HTML/CSS cleaner, according to the support page. In the process, they drove cart and horses through my carefully hand-crafted S1 style here. It may take come time to sort it out. If anyone can point me at a list of what exactly this new beastie is twitchy about, it could make my life a lot easier; otherwise I'm going to have to reverse-engineer things to work out what is and isn't allowed.

While they have some legitimate concerns* I think they're currently stripping stuff that's pretty harmless. For example, how the hell can <style type="text/css"> be malicious?

Well, at least it proves that my "graceful degradation" works as intended...

*there are some downright terrifying browser-specific features out there, from the perspective of defending against cross-site scripting attacks.

[edit: there was a post on the subject on [livejournal.com profile] lj_maintenance shortly after a wrote this. I think I'll wait a day or two for things to settle down before I attempt to clean up. I mean, it's not like many people read this journal in the native style, rather than via their own LJ-friends view or some other aggregator]
Tags:
Threaded | Top-Level Comments Only

Date: 2006-02-08 09:23 (UTC)
From: [identity profile] swisstone.livejournal.com
Oh dear, they have done it no favours, have they?

Date: 2006-02-08 09:43 (UTC)
From: [identity profile] yonmei.livejournal.com
They just told me they inadvertantly stripped some CSS they shouldn't have, and my journal should display correctly now (it does).

Date: 2006-02-08 09:51 (UTC)
ext_16733: (Default)
From: [identity profile] akicif.livejournal.com
Just for the hell of it I went back to my old S1 style, and it seems to work okay - I should fix my (moribund) blog as well, and then I'll have LJ, DJ and the blog looking the same.

Date: 2006-02-08 11:22 (UTC)
kingandy: (Default)
From: [personal profile] kingandy
My journal style got screwed over too, and that was one of their built-in ones (I've since switched over to a much more simple one that actually works a lot better, though I'd rather a non-serif font.)

FWIW, it doesn't seem to be objecting to <style type="text/css">, it just "cleans" what's inside them. Where you may be going wrong is using an @import (which is, apparently, suspect) instead of <link rel="stylesheet" href="[address]" type="text/css">...

Date: 2006-02-08 12:15 (UTC)
From: [identity profile] tinyjo.livejournal.com
<style> tags should be OK but @import rules are out, unfortunatly - I had the same thing. Convert to including your stylesheet via <link rel="stylesheet" etc> and you should find that you start getting somewhere (although I don't know what happens about offsite styles there - my stylesheet is generated on LJ as part of my S2 style).

I don't think there's a documented list of what's allowed/not currently but if you look in the source you should find that it tries to leave you useful comments as to what it's taking out (so, for example, yours currently has a /* suspect CSS: import rule */ in it)

Date: 2006-02-08 12:16 (UTC)
From: [identity profile] tinyjo.livejournal.com
Which was the built in style that wasn't working, out of interest?

Date: 2006-02-08 12:32 (UTC)
kingandy: (Default)
From: [personal profile] kingandy
Bloggish, I think. It lost a bunch of stuff like background images and ... actually I think that was it, but it was enough of a cosmetic annoyance that I decided to change.

My main criteria for viewing style is that it should display user icons on my individual posts, and collapse down to view on a PDA reasonably well (ie as little side-scrolling as possible). I've not viewed my current ("Magazine") on PDA yet but it looks like it should be reasonable...

Date: 2006-02-08 14:32 (UTC)
From: [identity profile] stsquad.livejournal.com
"to view on a PDA reasonably well"

What the PDA you couldn't justify paying for but only occasionally use on the semi-permanent loan? :-P

Date: 2006-02-08 14:37 (UTC)
kingandy: (Hat)
From: [personal profile] kingandy
That's the one! It's not a massive factor but if I'm going to read LJ on a PDA at all I'd rather not be excessively scrolling.

And no, I couldn't justify it, what with having no money and no income at the time. I sort of thought you'd prefer rent that month...

Date: 2006-02-08 17:15 (UTC)
From: [identity profile] blufive.livejournal.com
What browser on the PDA? And how does my journal look ATM, if you don't mind me asking*? (apart from being in boring black-and-white-o-vision)

*Yes, you just became a Potential Usability Tester!

Date: 2006-02-08 17:15 (UTC)
From: [identity profile] blufive.livejournal.com
Yeah, I saw the generated source and figured out that the import was getting stomped.

However, my first attempt to fix things involved simply inlining the style sheet inside style tags, at which point it stripped out the type="text/css" attribute, which I reckon is a tad harsh. Ok, if it was type="application/exe" or similar, they'd have a point, but text/css? Ouch. I think something else was getting trimmed, too, but I didn't have time to poke, so I just put it back to "ugly but functional" until I've got time to investigate properly. (Which may be a day or several)

I was using @import as a crude filter to hide the style from browsers that would make a complete dogs' breakfast of it (NN4 and the like). Oh well, no one (that I care about*) uses those anymore, so I'll give the link approach a go and see if it can cope with remote stylesheets that way. Failing that, I'll have to go back to inline and see if the fix to over-zealous trimming that [livejournal.com profile] yonmei referred to has helped any.

I can probably figure things out, given an hour or two, but it's a PITA (especially without documentation). Ho hum.

(Also, having done tech support myself, I appreciate that you're one of the poor saps stepping in (voluntarily!) to try to help after someone else did this, and your assistance is appreciated)

*If you're still using NN4, I don't care what it looks like. Just about every platform going has a better browser available, with a veritable menagerie on the more popular platforms.

Date: 2006-02-08 17:19 (UTC)
From: [identity profile] blufive.livejournal.com
Arg. Must use preview more/better. That footnote was meant to be labelled as a browser-weenie rant. Sorry.

Date: 2006-02-08 17:21 (UTC)
kingandy: (Default)
From: [personal profile] kingandy
I use the built-in IE, and I'll try to remember to look next time I pick it up. I'd imagine it looks fine, though.

Date: 2006-02-08 17:34 (UTC)
From: [identity profile] blufive.livejournal.com
Cheers.

<gratuitous browser pimpage>
I hear lots of good things about Opera's PDA browsers, though I've never had a chance to try it myself.
</gratuitous browser pimpage>

Date: 2006-02-08 18:29 (UTC)
kingandy: (Default)
From: [personal profile] kingandy
Yeah, looks fine from here. The page does stretch out thanks to a J2EE dump halfway down the page, but the rest of the content stays inside the browser window so that's OK.

Date: 2006-02-22 13:29 (UTC)
From: [identity profile] tinyjo.livejournal.com
Completely agree about NS4 :) Also IE for Mac. Just, why????

Anyway. Forgot to reply to this for ages but just wanted to say thanks for the acknowledgement - we had so many people spitting blood over it that it's really nice for someone to just say "oh bother, how awkward but I can see why you're doing it" Yay for reasonable people :)

Date: 2006-02-22 19:38 (UTC)
From: [identity profile] blufive.livejournal.com
IE5 for Mac was revolutionary in its day - the first browser to implement a "standards"/"quirks" mode switch, the first MS browser to get the box model right. Mentioning it in the same breath as NN4 is harsh. But, yeah, it's a fossil, and Mac people now have better browsers.

Like I said, I've done tech support, so I have some idea what it's like to be the poor soul jumping into the breach to handle front-line support after someone shafted the world - you can do without users yelling at you (though I'm sure you had a plentiful supply).

I'm also moderately in touch with browser development/security, and develop web applications professionally, so I'm aware of the need, sometimes, to just plug the hole FAST and deal with the fallout later...

While I'm not up to speed on the precise ins and outs, I know enough of the background to be sure that the LJ developers weren't jumping at shadows - if remote stylesheets can attach javascript, all hell breaks loose when users have the level of control they do here.
Threaded | Top-Level Comments Only

Profile

blufive: (Default)
blufive

Navigation

April 2024

S M T W T F S
 123456
78910111213
14151617181920
21222324252627
282930    

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated 2026-03-22 21:20
Powered by Dreamwidth Studios