InformAction Forums

Tom T. wrote:The confusion is that blocking the JS defeats the demo. ... SMIL or no SMIL.

I was trying to do what Alan suggested -- put that page on a site without that JS, namely, my own little page @ my ISP, but I haven't updated it in ages, and I can't even type or paste in the "edit" block. Their tech support is not open at this hour, so if I can get it working another time, I will indeed try hosting that exact page.

GµårÐïåñ wrote:

Tom T. wrote:The confusion is that blocking the JS defeats the demo. ... SMIL or no SMIL.

Yes, because the demo is JS based. If it was using SMIL it would not be affected.

GµårÐïåñ wrote:

Tom T. wrote:I was trying to do what Alan suggested -- put that page on a site without that JS, namely, my own little page @ my ISP, but I haven't updated it in ages, and I can't even type or paste in the "edit" block. Their tech support is not open at this hour, so if I can get it working another time, I will indeed try hosting that exact page.

Send me what you want done, through here or PM or email and I will be happy to put it on my site and give you the link to post and play with. But I am pretty sure that while JS code is blocked by NS, not SMIL, I have seen it in action with NS and no issue.

I'd be happy to do the code writing and hosting for you, just say the word brother. You know that, you wouldn't even need to edit anything.

Tom T. wrote:Exactly what I was trying to convince certain others in this thread: the demo uses JS. "I'm* not confused, but there is confusion in the thread, among some.

Tom T. wrote:I didn't mean that I had to edit or write any code. I was just going to copy/paste the source code of the demo page into a page on my own ISP-hosted site.

But their "site-builder" tool was malfunctioning: I couldn't paste. Period. Or type, into the field where one enters one's new material. It's a glitch in their system, that's all.

If you want to copy/paste that demo source code and host it, fine. Twenty seconds, if my blinking ISP's site editor was working properly

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" height="80">

  <text x="10" y="35">Only the blue square</text>
  <text x="10" y="50">has a mouseover effect</text>

  <rect id="rect1" x="160" y="10" width="60" height="60" fill="blue"
   onmouseover="evt.target.setAttribute('opacity', '0.5');"
    onmouseout="evt.target.setAttribute('opacity', '1)');"/>

  <rect id="rect2" x="230" y="10" width="60" height="60" fill="green"/>

</svg>

Tom T. wrote:Exactly.

(the source code of the demo page.)

   onmouseover="evt.target.setAttribute('opacity', '0.5');"
   onmouseout="evt.target.setAttribute('opacity', '1)');"/>

GµårÐïåñ wrote:Forgot to add on a separate note, that although Giorgio can arbitrarily and by choice whitelist certain functions deemed benign (open to perspective and interpretation) within his script checking engine, so that such simple SVG code doesn't fail even with the scripting on the site blocked, it would be a work around hack, inelegant and ultimately pokes holes in the absolutely security provided. But in theory it can be done.

this demo ... relies on scripting ... the event hook code that you are using, that is scripting, and being blocked accordingly

Although you don't consider that explicit call to JS, it is indeed a JS framework hook and calling on that engine to give you that functionality, hence, JS (scripting)

therube wrote:

this demo ... relies on scripting ... the event hook code that you are using, that is scripting, and being blocked accordingly

Although you don't consider that explicit call to JS, it is indeed a JS framework hook and calling on that engine to give you that functionality, hence, JS (scripting)

Could you explain that part further.
Is that then like "inline script"?
I think I now have an inkling of understanding, but without something in my face saying, here it is, I'm still a bit confused.

So as long as NS is blocking JS, that event hook fails (evt.target.setAttribute()), rightfully so, and if allowed it runs, again rightfully so. So its all there in the source of the demo, no need to put it on another server to show anything.

Alan Baxter wrote:

dhouwn wrote:JS is JS, I don't get how this behavior would be unexpected.

It's unexpected because that page doesn't use JavaScript. The NoScript icon and my viewing of the source for that page seem to agree that no JavaScript is being used. Could you be more specific about where you see JavaScript?

GµårÐïåñ wrote: Just for the record, you don't need to put his anywhere else, as the item with the source is SVG code already, so it doesn't depend on the site its hosted on and scripting for that site. The scripting portion being blocked by NS which results in the demo "breaking" is the following segment:

Code: Select all

   onmouseover="evt.target.setAttribute('opacity', '0.5');"
   onmouseout="evt.target.setAttribute('opacity', '1)');"/>

So as long as NS is blocking JS, that event hook fails (evt.target.setAttribute()), rightfully so, and if allowed it runs, again rightfully so. So its all there in the source of the demo, no need to put it on another server to show anything.

SmilerCurious wrote:So you've identified JS that could be maliciously used in the demo source. Good.
But Alan Baxter's implied question hasn't been answered:
http://forums.informaction.com/viewtopi ... 357#p36626
"The NoScript icon indicates with its white S that scripting isn't used on that page,"
Inquiring minds want to know why no coloured indicator.

Tom T. wrote:I think the icon is white, vs. blue/white, because *that document* does not load script. But it's part of a URL for which all scripts apply, which is why I could toggle the demo by toggling script permission of the main site.