CSS Button Designer

[=?ISO-8859-1?Q?G=E9rard_Talbot?=]

Joe Barta wrote :

Hello alt.html!

Long time no see ;-)

I made a little widget, CSS Button Designer.

I wonder why you did not present your CSS widget in a CSS newsgroup.
Wasn't this the logical thing to do for a "CSS Button Designer" web
application?

It's a tool for applying

styles and optional javascript mouseover actions to simple buttons.
It's pretty comprehensive and user-friendly.

Half of the whole page is covered with ads. And I'm not even mentioning
the unrequested popup served by media.fastclick.net/w/safepop.cgi here
and "FASTCLICK.COM POP-UNDER CODE v1.8".

I'm very much open to feedback from this group. It's good, it sucks,
this is right, this is wrong, this should be that, etc.

1- HTTP Charset

You have character encoding problems in your file; your server sends it
as utf-8 but, on line 10, you did not use characters which were encoded
as utf-8. It looks like you were not aware of the fact that your server
was sending your webpages encoded as utf-8.

2- Doctype declaration

Your document uses no doctype declaration. And your website
pagetutor.com gives HTML tutorials??

3- Markup code

If I choose HTML 4.01 strict and iso-8859-1 (Western) for the encoding
charset:

http://validator.w3.org/check?uri=h...rope)&doctype=HTML+4.01+Strict&ss=1&verbose=1

193 errors.

I see that you're definitely not a model of avoiding deprecated elements
and attributes used for presentational purposes. align attribute is
specified 54 times; spacer.gif (aka empty.gif) 11 times; all kinds of
deprecated markup attributes (hspace, BACKGROUND, etc..

4- CSS code

This is how well you did with CSS code:

http://jigsaw.w3.org/css-validator/...pagetutor.com/button_designer/&usermedium=all

53 errors. 257 warnings. Don't you ever check your page with a validator
and then tell you yourself that you should fix these errors?

On top of that, your widget itself refuses all/any of the 17 reserved
keyword names for colors in CSS. So your widget does not comply with CSS
2.1.

If this widget was targeted toward browsers capable of rendering CSS,
then why did you resort to deprecated HTML attributes so often? Why not
*_use CSS_*? <shrug>


5- Javascript

I get all kinds of warnings about undeclared variables regarding your
page, a missing closing }, etc. etc.. Don't you ever look at a
javascript console to correct errors when you do a js-driven web
application?? to improve efficiency of your scripts? to increase your
browser audience? to reduce number of possible problems which may/could
occur, which you may not notice at first??

6- Accessibility

None, I repeat, none of your 22 text/radio/checkbox inputs use a single
HTML 4 label. No accesskey either. 0 label and accesskey. Your CSS code
uses repeatedly fixed, absolute font size. Your markup code uses on
nested tables. You use HREF="#". All of this is widely known to reduce
accessibility.

Your webpage is not scalable; instead it's more of a rigid, unflexible
page. You over-declare classes and over-define CSS rules, but that's
typical of over-constrained page layout and tables-based design used for
layout. You also use an awful lot of document.write() within the first
load of the page... which is suspicious.

I'd be interested in any thoughts on that as well.

Joe Barta

You write HTML tutorials and you were capable of writing such file?

Your page, widget, etc.. sucks. There. Fair and square.

Gérard

 

[Joe Barta]

Your page, widget, etc.. sucks. There. Fair and square.

Fair enough. Thank-you for your input.

Joe Barta

 

[Richard Rundle]

Why not hta? What specifically are your concerns?

Perhaps the 2 letters that keep cropping up in this thread, an I and an E,
might be a clue?

 

[Joe Barta]

Perhaps the 2 letters that keep cropping up in this thread, an I
and an E, might be a clue?

That's not what I was looking for but I feel your pain. So to you,
ANYTHING related to IE is generically suspect? I suppose we could
extend that to Windows and MS in general because everybody knows all
the problems there, right? And let's not forget the Internet in
general... it's a damn minefield. No one in their right mind would
ever hook up to the internet with all the horror stories we all hear.
I mean hell, the sensible thing really is just lock ourselves in a
closet for a long long time.

Seriously though, if you have anything useful or specific that you can
offer... I'm all ears.

The question was what specifically are the concerns with running an
hta that you wouldn't find in an ordinary exe? Tell me a specific
possible horror scenario and tell me how you wouldn't find equal
dangers in a exe.

Joe Barta

 

[Andy Dingley]

So to you, ANYTHING related to IE is generically suspect?

Not to me.

But IE has glaring holes in it. One of the most concerning of these
holes is the huge reliance on sandboxing when it comes to ActiveXs. This
is tricky enough for HTML but when it comes to HTAs they have so much
implict trust around them that many of the usual controls are no longer
applied. HTAs aren't just .EXEs, they're uncontrolled EXEs running in a
context where external access is likely and unsuspicious - a sneaky HTA
is a gateway to _anything_ happening.

I've also used one HTA that was a badly-architected intranet app. This
was delivered by a central server outside the control of the user and if
their _local_ filesystem wasn't organised in the same way as the
original developer's, then it deleted part of the filesystem tree! It's
a way to deploy potentially damaging EXEs to many users (and many
contexts) whilst encouraging careless developers to now fully think
through the issues of deployment.

 

[Neredbojias]

With neither quill nor qualm, Joe Barta quothed:

That's not what I was looking for but I feel your pain. So to you,
ANYTHING related to IE is generically suspect? I suppose we could
extend that to Windows and MS in general because everybody knows all
the problems there, right? And let's not forget the Internet in
general... it's a damn minefield. No one in their right mind would
ever hook up to the internet with all the horror stories we all hear.
I mean hell, the sensible thing really is just lock ourselves in a
closet for a long long time.

That isn't foolproof, either. I tried it and began to suffer from
malnutrition, apparently as a result of availing myself of the only
means for amusement I had at my disposal.

 

[Joe Barta]

Not to me.

But IE has glaring holes in it. One of the most concerning of
these holes is the huge reliance on sandboxing when it comes to
ActiveXs. This is tricky enough for HTML but when it comes to HTAs
they have so much implict trust around them that many of the usual
controls are no longer applied. HTAs aren't just .EXEs, they're
uncontrolled EXEs running in a context where external access is
likely and unsuspicious - a sneaky HTA is a gateway to _anything_
happening.

I've also used one HTA that was a badly-architected intranet app.
This was delivered by a central server outside the control of the
user and if their _local_ filesystem wasn't organised in the same
way as the original developer's, then it deleted part of the
filesystem tree! It's a way to deploy potentially damaging EXEs
to many users (and many contexts) whilst encouraging careless
developers to now fully think through the issues of deployment.

I did a little reading, following up on your comments, thank-you.
Correct me if I'm wrong, but the big concern is specifically with
ActiveX controls, right? And anything that can potentially contain an
ActiveX control can be problematic?

Joe Barta

 

[Joe Barta]

But IE has glaring holes in it. One of the most concerning of
these holes is the huge reliance on sandboxing when it comes to
ActiveXs.

One more question... As I understand it, an ActiveX control on a web
page normally needs the user's OK to install and run, correct? When
you hear the word "trusted" in the context of hta, does that mean that
the default is for ActiveX controls in a hta to install and run
automatically? Without the user's approval?

Joe Barta

 

[Rob McAninch]

And, if you think about it, because of the many
limitations of hta's, it's profoundly safer.

Not to mention, that an HTA is essentially open source software.
You can open it in an editor and study it all you want; to see
what it is attempting to do. The same certainly, can't be said
for a compiled executable. (Well, certainly not with any ease).

I like the concept of an hta for the very use it has been
employed for here with Joe's CSS Button widget. I don't have to
go to the website or try to mirror all the pieces locally. The
web-based application becomes a local application.

 

[Andy Dingley]

When
you hear the word "trusted" in the context of hta, does that mean that
the default is for ActiveX controls in a hta to install and run
automatically? Without the user's approval?

That's broadly the problem.

You (the user) have some control over how your IE handles security. You
can control whether componets run, and whether new components can be
installed. The choices also depend on the source of the page and the
context. In general though, "web HTML" is treated cautiously by default
but "HTA" is treated promiscuously. The way in which an average IE
treats HTAs is so insecure as to make HTAs a clear and present security
threat in any organisation, such that they need to be hunted down and
destroyed on sight.

M$oft have demonstrably no competent clue over security. In 15+ years of
commercial Windows experience I have never yet seen them act cluefully,
and I have regularly seen them behave in a careless and incompetent
manenr that affects the security of my machines (to the point where I no
longer need to rely on M$oft products for this). They regularly treat
the whole of "computing" as a 1950's US corporate structure, modelling
M$oft's own internal sclerosis. This is a particularly security hazard
when you are either not such a corporate, or when you're part of a
corporate big enough to have at least one fool in it. I've only once
"lost money" to a virus and that was owing to M$oft's simplistic
"Everyone who works for us is trustworthy" model. We were a big site and
there was _one_ old and insecure machine. But it was one of "our"
machines, and so many important and secured (sic) machines trusted it in
turn.

As to "trust", then the problems of signed ActiveXs are well described.
In particular, it is impractical to sign any non-trivial ActiveX as
"safe". Safety depends on context, the _combination_ of the control and
how it is used. A trustworthy developer may easily make a control that
is well-intentioned and signed as such, yet may be twisted to evil
purposes by the page that uses it - and yet it's _still_ signed as
"safe". Suppose your button maker writes a CSS file locally - what if
the page can suggest an alternative filename that's something important
from /windows/system/ and your button maker innocently overwrites it ?

Back in 1997 M$oft released IE4. The initial installer of the first
version included a (trusted) ActiveX that could configure the install to
finish installing after a reboot, by using the registry RunOnce key.
This was trusted and signed by M$oft, so who wouldn't just let it run ?

If you used this from another page, it was a trivial hack to make the PC
format the c:\ drive when you next rebooted - all with a trustworth and
signed ActiveX from the original manufacturer, doing just the task it
was intended for - with only a single parameter changed.

 

[Andy Dingley]

Not to mention, that an HTA is essentially open source software.

Except that it isn't. It's "open source" parameters to a control that
you have no more knowledge of than an opaque executable.

 

[Joe Barta]

The way in which an average IE treats HTAs is so
insecure as to make HTAs a clear and present security threat in
any organisation, such that they need to be hunted down and
destroyed on sight.

Thank you for everything in that last post. I truly appreciate your
insight.

If I may pester you with a few more questions... now I understand that
an ActiveX control in a hta can be trouble by design and even by
accident. A well meaning ActiveX control author might code something
that causes trouble by accident and even an innocent control may be
taken advantage of by a malicious coder and be used for bad deeds. So
far I'm correct?

Could the same also be said of a java applet?

Let's suppose we are ONLY talking about hta's WITHOUT any ActiveX
controls... such as the button designer. Do you see a concern with
them?

Joe Barta

 

[Jose]

Thanks Andy, I've been following this discussion and you have been
covering the issues with which I have concerns far better than I could
(since I don't really know all how it works, just that it can bite me).

When you talk about signing an ActiveX control as "safe", who is doing
the signing, and what's to prevent the programmer from lying - that is,
coding an evil program and signing it as "safe". What, exactly, does
"signing as safe" involve, and mean?

Jose

 

[Jose]

.... and while I'm at it, sometimes when I visit a site I get a prompt
that says "Would you like software such as Active-X controls to run?"

How am I supposed to answer the question? It's either YES or NO, but
the prompt gives me no indication of =what= software is being proposed
to run, =who= is asking, and what it will =do=. This stuff runs on MY
COMPUTER, where I have lots of important stuff. I would treat the
question the same way I would treat the plumber who asks "would you like
me to look around at stuff like your sink drains and file cabinets?"

Jose

 

[Luigi Donatello Asero]

... and while I'm at it, sometimes when I visit a site I get a prompt
that says "Would you like software such as Active-X controls to run?"

How am I supposed to answer the question? It's either YES or NO, but
the prompt gives me no indication of =what= software is being proposed
to run, =who= is asking, and what it will =do=. This stuff runs on MY
COMPUTER, where I have lots of important stuff. I would treat the
question the same way I would treat the plumber who asks "would you like
me to look around at stuff like your sink drains and file cabinets?"

Jose

I agree. That´s one of the reasons why I prefer not to use Active-x
controls whenever it is possible.
By the way, I gess that you get the message which you quoted above if you
use standard security level for your zone in your browser and firewalls.
If you choose a high level you prevent Active-X controls from running, as
far as I know but in that case it may happen that the browser does not
display the page correctly.
If you choose a low security level you let the Active-X controls running but
you take the chance that they run a malicious code and that the owner of the
site takes control of your computer, doesn´he or she?


--
Luigi Donatello Asero
https://www.scaiecat-spa-gigi.com/sv/boendeisverige.html
我 是 欧洲人
Ð¡ÐµÐ³Ð¾Ð´Ð½Ñ Ñуббота 21 ÑÐ½Ð²Ð°Ñ€Ñ 2006
Write for peace in peace

 

[Luigi Donatello Asero]

I agree. That´s one of the reasons why I prefer not to use Active-x
controls whenever it is possible.
By the way, I gess that you get the message which you quoted above if you
use standard security level for your zone in your browser and firewalls.

I guess


--
Luigi Donatello Asero
https://www.scaiecat-spa-gigi.com/sv/boendeisverige.html
我 是 欧洲人
Ð¡ÐµÐ³Ð¾Ð´Ð½Ñ Ñуббота 21 ÑÐ½Ð²Ð°Ñ€Ñ 2006
Write for peace in peace

 

[Joe Barta]

... and while I'm at it, sometimes when I visit a site I get a
prompt that says "Would you like software such as Active-X
controls to run?"

How am I supposed to answer the question? It's either YES or NO,
but the prompt gives me no indication of =what= software is being
proposed to run, =who= is asking, and what it will =do=. This
stuff runs on MY COMPUTER, where I have lots of important stuff.
I would treat the question the same way I would treat the plumber
who asks "would you like me to look around at stuff like your sink
drains and file cabinets?"

I'm not as knowledgable as Andy but I might be able to spew forth
something useful here.

It really boils down to common sense and the idea that you cannot
completely eliminate ALL risk. You have to use your best judgement and
life in general always has some risk.

99.9 times out of 100 you should say NO to those controls because most
of it is junk and some of it is downright nasty. If you're in the
seedy part of town looking for something you really ought not be
looking for and you get a message that in order to get the trinket you
want, you have to let the control install. Seems to me common sense
should tell you that's not a very good idea.

Very often one doesn't even need to be in the seedy areas... even the
entertainment district can be a little dicey. You go to your favorite
joke page and you get a request to install the Groovy Joke Toolbar. I
think it's a pretty safe bet that's something you'll want to do
without.

But let's suppose you are on a web site that you believe to be
trustworthy and the webmaster explains that in order to run such and
such you should download a particular control. You then have a choice
to make. Are you reasonably sure that it's good and wholesome and is
something you want? In the end it it's your call.

It's about judgment and common sense and for all intents and purposes
you can't get away from that.

Joe Barta

 

[Luigi Donatello Asero]

I'm not as knowledgable as Andy but I might be able to spew forth
something useful here.

It really boils down to common sense and the idea that you cannot
completely eliminate ALL risk. You have to use your best judgement and
life in general always has some risk.

99.9 times out of 100 you should say NO to those controls because most
of it is junk and some of it is downright nasty. If you're in the
seedy part of town looking for something you really ought not be
looking for and you get a message that in order to get the trinket you
want, you have to let the control install. Seems to me common sense
should tell you that's not a very good idea.

Very often one doesn't even need to be in the seedy areas... even the
entertainment district can be a little dicey. You go to your favorite
joke page and you get a request to install the Groovy Joke Toolbar. I
think it's a pretty safe bet that's something you'll want to do
without.

But let's suppose you are on a web site that you believe to be
trustworthy and the webmaster explains that in order to run such and
such you should download a particular control. You then have a choice
to make. Are you reasonably sure that it's good and wholesome and is
something you want? In the end it it's your call.

It's about judgment and common sense and for all intents and purposes
you can't get away from that.

Joe Barta

I agree.
Of course it is up to you if you trust the site or not.
That can depend on many reasons.
To put it in different terms, in most cases I do not, in some cases I do
that.
Are there any better alternative to Active-X, anyway?

 

[Jose]

But let's suppose you are on a web site that you believe to be

trustworthy and the webmaster explains that in order to run such and
such you should download a particular control. You then have a choice
to make. Are you reasonably sure that it's good and wholesome and is
something you want? In the end it it's your call.

The website and webmaster might be good and wholesome, but he may not
have written the underlying software. He may have trusted it by
mistake. I don't personally know the webmaster of most websites.

So I say no.

Jose

 

[Rob McAninch]

Except that it isn't. It's "open source" parameters to a
control that you have no more knowledge of than an opaque
executable.

Well from what I can see an HTA is a HTML page with the extension
changed to .hta, then it gets rendered in an IE shell and *may*
have some additional privelges a web application wouldn't have.

Any HTA specific bits that I see only dictate how the HTA looks
and acts, there are no commands in the traditional sense. All the
commands occur in the plain text files where they can be
examined. Unless a compiled executable gets integrated with the
HTA, in which case, as stated, the HTA is like any other
downloaded executable and it will execute with the priveleges of
the current user.

I haven't picked apart the entire CBD but I don't see anything
that isn't plain text.