in reply to Re^5: LTR character in links
in thread LTR character in links

but somehow PM is adding them and I cannot get rid of them.

Indeed, I can reproduce for profiles pages. For profile pages (but not for SoPW pages), instances of script are replaced with s‎crip‎t.

This is presumably a security measure. However, I can't imagine why this measure would be needed for profile pages if it isn't needed for SoPW pages. I therefore consider this a bug.

Workaround: Use script instead of script. (S for an uppercase S.) For example, 

<a href="https://metacpan.org/pod/Business::Stripe::Sub&#x73;cription"
+>Business::Stripe::Sub&#x73;cription</a>

[download]

The hack is applied after the expansion of [mod://] and similar, so they can't be used as a workaround.

Replies are listed 'Best First'.
Re^7: LTR character in links @pmdev
by jdporter (Paladin) on Jun 21, 2023 at 19:43 UTC
    For profile pages (but not for SoPW pages), instances of script are replaced with s‎crip‎t.

    This is presumably a security measure.

    Exactly right. From the very beginning, the user display page contained code to neutralize embedded javascript code. Originally, it attempted to "quote" any occurrence of a <script element in the user node content. But in December 2004, it was changed to the current technique, which blindly mangles any occurrence of script.

    I can't imagine why this measure would be needed for profile pages if it isn't needed for SoPW pages.

    I'm not sure but I believe this is because user pages are — or were — granted somewhat more freedom in terms of what HTML elements are allowed. iinm, regular writeup nodes are already strict enough that additional filtering for <script> is unnecessary.

    Today's latest and greatest software contains tomorrow's zero day exploits.
[reply]
[d/l]
[select]

      granted somewhat more freedom in terms of what HTML elements are allowed

      Makes sense, thanks.

[reply]
Re^7: LTR character in links @pmdev
by Bod (Parson) on Jun 21, 2023 at 11:42 UTC
    Workaround: Use &#x73;cript instead of script.

    That works and is now installed - thanks ikegami

    Of course, it would still be good if pmdev could correct the bug and still allow JavaScript to be turned off...
    Perhaps, instead of looking for /script/, PM could check for /script( |>)/

[reply]
[d/l]
[select]
Re^7: LTR character in links @pmdev
by soonix (Chancellor) on Jun 21, 2023 at 08:45 UTC
    In User Settings, I see a switch "Disable some JavaScript on homenodes". Maybe it is related?
[reply]

      Maybe 15 years ago I found a homenode exploiting the ability to add JavaScript to do some nasty things. I can't remember exactly what happened as a result but my gut tells me that this was when the option for scrubbing 'risky' things from homenodes by default was set.

[reply]
      I see a switch "Disable some JavaScript on homenodes

      That one doesn't affect it but the next one does - Don't filter risky HTML from monks' homenodes - however, this has to be set by people viewing the home node so it doesn't really help. It is there to turn off unwanted JavaScript in other monks' home nodes but it's picking up my non-JavaScript module name!

[reply]

In Section Perl Monks Discussion