in reply to Re^3: LTR character in links
in thread LTR character in links

No. The link provided by PerlMonks is to https://metacpan.org/pod/Business%3A%3AStripe%3A%3ASubscription.

Screenshot of HTML (And no, it contains no hidden/special characters.)

If you get something else, your browser (incl extensions) or your proxy is changing something.

Replies are listed 'Best First'.
Re^5: LTR character in links
by Bod (Parson) on Jun 20, 2023 at 23:14 UTC

    The source in my home node has this... 

    <p>CPAN Releases</p>
<p><a href="https://metacpan.org/pod/Business::Stripe::WebCheckout">Bu
+siness::Stripe::WebCheckout</a><br />
<a href="https://metacpan.org/pod/Business::Stripe::Subs&#x200E;crip&#
+x200E;tion">Business::Stripe::Subs&#x200E;crip&#x200E;tion</a><br />
<a href="https://metacpan.org/pod/Business::Stripe::Webhook">Business:
+:Stripe::Webhook</a></p>
<p><a href="https://metacpan.org/pod/AI::Embedding">AI::Embedding</a><
+/p>

    [download]
    It is the &x200E; characters that should not be there...

    They were not put there when I edited my profile but somehow PM is adding them and I cannot get rid of them...do they not look like that to you?

    I've turned off all browser extensions and checked on another machine with a freshly installed Chrome browser with no extensions.

[reply]
[d/l]
[select]

      but somehow PM is adding them and I cannot get rid of them.

      Indeed, I can reproduce for profiles pages. For profile pages (but not for SoPW pages), instances of script are replaced with s&#x200E;crip&#x200E;t.

      This is presumably a security measure. However, I can't imagine why this measure would be needed for profile pages if it isn't needed for SoPW pages. I therefore consider this a bug.

      Workaround: Use &#x73;cript instead of script. (&#x53; for an uppercase S.) For example, 

      <a href="https://metacpan.org/pod/Business::Stripe::Sub&#x73;cription"
+>Business::Stripe::Sub&#x73;cription</a>

      [download]

      The hack is applied after the expansion of [mod://] and similar, so they can't be used as a workaround.

[reply]
[d/l]
[select]
        For profile pages (but not for SoPW pages), instances of script are replaced with s‎crip‎t.

        This is presumably a security measure.

        Exactly right. From the very beginning, the user display page contained code to neutralize embedded javascript code. Originally, it attempted to "quote" any occurrence of a <script element in the user node content. But in December 2004, it was changed to the current technique, which blindly mangles any occurrence of script.

        I can't imagine why this measure would be needed for profile pages if it isn't needed for SoPW pages.

        I'm not sure but I believe this is because user pages are — or were — granted somewhat more freedom in terms of what HTML elements are allowed. iinm, regular writeup nodes are already strict enough that additional filtering for <script> is unnecessary.

        Today's latest and greatest software contains tomorrow's zero day exploits.
[reply]
[d/l]
[select]
        Workaround: Use &#x73;cript instead of script.

        That works and is now installed - thanks ikegami

        Of course, it would still be good if pmdev could correct the bug and still allow JavaScript to be turned off...
        Perhaps, instead of looking for /script/, PM could check for /script( |>)/

[reply]
[d/l]
[select]
        In User Settings, I see a switch "Disable some JavaScript on homenodes". Maybe it is related?
[reply]

In Section Perl Monks Discussion