Old aRO Forums

The 'Other' Section => AnesisRO Archive => Archive => General Questions => Topic started by: Kaeri on August 12, 2011, 11:10:24 pm

Title: Changes to the voting page...
Post by: Kaeri on August 12, 2011, 11:10:24 pm

At first i just noticed the link font was different, then i realized i wasn't able to "middle click" (scroll button) the links to open all the pages in new tabs (such that the tabs would open "behind" the voting page so i could continue to click each link without my current tab being switched). Also, i couldn't right click the link to give the option to open in a new tab that way.

In fact i couldn't get a right-click menu to pop up anywhere in the gray table (but it worked on other areas of the page). Anyway, the links would only respond to a normal left click, which opened a tab and immediately switched to it. i believe this is normal in most browsers when left-clicking links that would open new pages, but the problem here is that left click is my only option. If i wanted to open all the pages in tabs before i started typing in the captcha stuff, i'd have to keep switching back to the first tab each time.

Not the end of the world, but it's throwing off my groove. I'm guessing it happened due to changes being made to fix the "negative timer issue". I'd just like to know if these particular changes were intentional, and if so, what makes them necessary.

Title: Re: Changes to the voting page...
Post by: tsukaza13 on August 13, 2011, 12:57:47 am

Yeah, just noticed this; it sucks. :x Change it back, please?

Title: Re: Changes to the voting page...
Post by: Talis on August 13, 2011, 06:41:15 am

Quote from: Kaeri on August 12, 2011, 11:10:24 pm

At first i just noticed the link font was different, then i realized i wasn't able to "middle click" (scroll button) the links to open all the pages in new tabs (such that the tabs would open "behind" the voting page so i could continue to click each link without my current tab being switched). Also, i couldn't right click the link to give the option to open in a new tab that way.

In fact i couldn't get a right-click menu to pop up anywhere in the gray table (but it worked on other areas of the page). Anyway, the links would only respond to a normal left click, which opened a tab and immediately switched to it. i believe this is normal in most browsers when left-clicking links that would open new pages, but the problem here is that left click is my only option. If i wanted to open all the pages in tabs before i started typing in the captcha stuff, i'd have to keep switching back to the first tab each time.

Not the end of the world, but it's throwing off my groove. I'm guessing it happened due to changes being made to fix the "negative timer issue". I'd just like to know if these particular changes were intentional, and if so, what makes them necessary.

Thank you for your concern.

This is occuring because I had to employ POST data instead of GET data for the voting system, i.e. each vote link is it's own little HTML formular and the vote link is actually a submit button.

Short of using javascript trickery to replace the submit button with a actual text link, I don't think it can be fixed. If you can dig up any sort of CSS to make the formular behave more like a traditional link, please let me know ! ( I tried to make it look and seem like a link instead of a button but I was unable to find anything that'd allow ctrl right click or middle click. ;x )

As for why the change had to be done: Using GET only in the vote system made it vunerable to a XSS or Cross Site Scripting attack. Noone abused it thankfully but I wanted to fix it before someone does. ( Technical details: Someone could have used a html image tag or even a image tag in the forums with a vote link - everyone who views this vote link would , without noticing, get credited for voting even though they didn't. Because it is set as the url for the picture the browser of people who view it try to load it and boom, the vote goes through. )

Additionally, the vote links are now tokened via the form which enhances security and in addition the SQL queries have been tweaked. All this together fixes the negative timers bug and makes the voting system more stable and secure !

I hope you understand that due to the possibility of a exploit this is a necessity and again - if you find out anything to restore the functionality while at the same time keep it acting as a form submit button I would be very interested in implementing it.

Title: Re: Changes to the voting page...
Post by: Mal on August 13, 2011, 06:54:59 am

Oooh, came here to make this thread.

Quote from: Talis on August 13, 2011, 06:41:15 am

but I was unable to find anything that'd allow ctrl right click or middle click. ;x )

I can still ctrl + right click, just not middleclick.

Title: Re: Changes to the voting page...
Post by: Xia Xue on August 13, 2011, 07:15:31 am

there's the date\time below the last voting link =)

Title: Re: Changes to the voting page...
Post by: rolover on August 13, 2011, 02:26:53 pm

messes up my voting a lot ~_~ /sigh for the greater good i guess

Title: Re: Changes to the voting page...
Post by: Kaeri on August 13, 2011, 10:38:38 pm

Quote from: Talis on August 13, 2011, 06:41:15 am

Quote from: Kaeri on August 12, 2011, 11:10:24 pm

At first i just noticed the link font was different, then i realized i wasn't able to "middle click" (scroll button) the links to open all the pages in new tabs (such that the tabs would open "behind" the voting page so i could continue to click each link without my current tab being switched). Also, i couldn't right click the link to give the option to open in a new tab that way.

In fact i couldn't get a right-click menu to pop up anywhere in the gray table (but it worked on other areas of the page). Anyway, the links would only respond to a normal left click, which opened a tab and immediately switched to it. i believe this is normal in most browsers when left-clicking links that would open new pages, but the problem here is that left click is my only option. If i wanted to open all the pages in tabs before i started typing in the captcha stuff, i'd have to keep switching back to the first tab each time.

Not the end of the world, but it's throwing off my groove. I'm guessing it happened due to changes being made to fix the "negative timer issue". I'd just like to know if these particular changes were intentional, and if so, what makes them necessary.

Thank you for your concern.

This is occuring because I had to employ POST data instead of GET data for the voting system, i.e. each vote link is it's own little HTML formular and the vote link is actually a submit button.

Short of using javascript trickery to replace the submit button with a actual text link, I don't think it can be fixed. If you can dig up any sort of CSS to make the formular behave more like a traditional link, please let me know ! ( I tried to make it look and seem like a link instead of a button but I was unable to find anything that'd allow ctrl right click or middle click. ;x )

As for why the change had to be done: Using GET only in the vote system made it vunerable to a XSS or Cross Site Scripting attack. Noone abused it thankfully but I wanted to fix it before someone does. ( Technical details: Someone could have used a html image tag or even a image tag in the forums with a vote link - everyone who views this vote link would , without noticing, get credited for voting even though they didn't. Because it is set as the url for the picture the browser of people who view it try to load it and boom, the vote goes through. )

Additionally, the vote links are now tokened via the form which enhances security and in addition the SQL queries have been tweaked. All this together fixes the negative timers bug and makes the voting system more stable and secure !

I hope you understand that due to the possibility of a exploit this is a necessity and again - if you find out anything to restore the functionality while at the same time keep it acting as a form submit button I would be very interested in implementing it.

Nyoro~n... This is a reminder that my web developing skills need more cowbell. That, and i simply have no time to research a solution. BUT! If free time should present itself, this is highly relevant to my interests and i may take the opportunity to learn a thing or two. Meanwhile, i guess i'll just have to tell my OCD to STFU. ^^;

Title: Re: Changes to the voting page...
Post by: DeePee on August 14, 2011, 07:40:23 am

Quote from: Talis on August 13, 2011, 06:41:15 am

As for why the change had to be done: Using GET only in the vote system made it vunerable to a XSS or Cross Site Scripting attack. Noone abused it thankfully but I wanted to fix it before someone does. ( Technical details: Someone could have used a html image tag or even a image tag in the forums with a vote link - everyone who views this vote link would , without noticing, get credited for voting even though they didn't. Because it is set as the url for the picture the browser of people who view it try to load it and boom, the vote goes through. )

Couldn't you set the voting links to only work from the correct referring page?

Title: Re: Changes to the voting page...
Post by: Talis on August 14, 2011, 05:02:05 pm

Quote from: DeePee on August 14, 2011, 07:40:23 am

Quote from: Talis on August 13, 2011, 06:41:15 am

As for why the change had to be done: Using GET only in the vote system made it vunerable to a XSS or Cross Site Scripting attack. Noone abused it thankfully but I wanted to fix it before someone does. ( Technical details: Someone could have used a html image tag or even a image tag in the forums with a vote link - everyone who views this vote link would , without noticing, get credited for voting even though they didn't. Because it is set as the url for the picture the browser of people who view it try to load it and boom, the vote goes through. )

Couldn't you set the voting links to only work from the correct referring page?

Referring page is not something set server-side but rather client-side. Therefore, it's easy to fake or manipulate. Additionally there are some browsers ( very few, but they still exist ), which don't even set a referrer.
In HTML 5 it will also become a standard to be able to disable the Referrer entirely. So in short the HTTP referer is not something I rely on anywhere in my coding. It does counter the XSS attack, but the downsides are just too pronounced. We are still looking into using javascript to just replace the buttons anyway.