My Yahoo WTF feed problem



  • For the past couple weeks I kept getting these annoying Javascript warnings on My Yahoo! page.  I have script debugging on, so I get a little "Do you want to debug?" popup on every refresh.

    I finally poked inside to see what it was complaining about.  Here's the offending line:

    <a href="http://thedailywtf.com/Articles/The_Contractor's_Note.aspx" mce_href="http://thedailywtf.com/Articles/The_Contractor's_Note.aspx" id="429100755"
    onclick="fltrM('8097'); this.href='http://us.lrd.yahoo.com/_ylt=Atku7RQtX2.p9b1rl9fLNiwE1vAI/ SIG=11vbvv8si/**http%3A//thedailywtf.com/Articles/The_Contractor's_Note.aspx'">

    Whoa, my RSS-fed TDWTF module is the culprit.  More specifically, Yahoo's screwy onclick event of an article's anchor.  Even more specifically, the single-quote-delimited href reassignment with a URL containing a single-quote ("The_Contractor's_Note.aspx"). 

    Before today, it was apparently the one inside Trust_Me,_I'm_A_Doctor.aspx that Yahoo choked on.  Or maybe The_Sorcerer's_Apprentice.asp.... or, darn it, Alex, stop putting apostrophe's in your URL's!!!!  Yahoo doesn't like it!



  • Why not make the next URL something like:
    The best '; location.href='http://www.example.com'; '

    (or something more nefarious like cookie stealing code)... 



  • That's probably why my Google Home page The Daily WTF module didn't even display those two articles. =/



  • I'm also seeing problems with my feed (as viewed through Newshutch), but in my case the problem simply manifests itself as a truncated URL - so I end up at http://thedailywtf.com/Articles/The_Contractor instead of the full URL.

    The Real WTF TM is that Alex isn't properly escaping the URLs - RFC 3986 section 2.2, if I'm reading it correctly, states that single-quotes are among the reserved characters... but I could be wrong about that...



  • Since when are bugs the equivalent of WTFs? The WTF is putting single quotes into a URL. I think it's within the reasonable realm of things overlooked that a URL would have a ' in it.

     



  • @unklegwar said:

    Since when are bugs the equivalent of WTFs? The WTF is putting single quotes into a URL. I think it's within the reasonable realm of things overlooked that a URL would have a ' in it.

    You would think so, but single quotes are apparently valid URL characters.



  • It's not a WTF, it's just a bug. You have to encode the values properly, or they won't handle some characters correctly.

    Encoding values is a tricky business that has to be done in several steps in this case, as you have an URL inside and URL inside a Javascript string inside HTML code.

    First the URL has to be URL encoded to be a part of the query string of another URL, which obviously hasn't been done, as it still contains slashes instead of %2f.

    Then the string containing the URL has to be encoded into a proper Javascript string, which obviously hasn't been done, as it still contains a single apostrophe instead of the backslash-apostrophe sequence that is used to put an apostrophe in an apostrophe delimited string.

    Then the entire Javascript code string has to be HTML encoded to be put inside the value of a property in an HTML tag. There is no character that needs HTML encoding in this case, so I can't tell if this has been done or not. Judging from how much encoding that has been done so far, it's not very likely that this has been done either.



  • Its just a bug where the ' in the string at "The_Contractor's_Note.aspx" isnt escaped

    should be like "The_Contractor's_Note.aspx"

     Not really a wtf cause it can be fixed with like 1 line of code.
     


    The ' in the url is fine as long as its escaped in the string. The ' is ending the javascript string early and its the rest of the string that causes the error.



  • "the URL has to be URL encoded to be a part of the query string of
    another URL, which obviously hasn't been done, as it still contains
    slashes instead of %2f."

    But it DOES contain %3f instead of the colon after 'http'.  So the encoding was apparently done, but only halfway.
     



  • @plazmo said:

    Its just a bug where the ' in the string at "The_Contractor's_Note.aspx" isnt escaped

    should be like "The_Contractor\'s_Note.aspx"


     

    How exactly is that going to help? That won't actually escape the ' in HTML. HTML doesn't process like that. Instead if will link to The_Contractor\ instead of just The_Contractor

     

     



  • @sycro said:

    @plazmo said:

    Its just a bug where the ' in the string at "The_Contractor's_Note.aspx" isnt escaped

    should be like "The_Contractor's_Note.aspx"


     

    How exactly is that going to help? That won't actually escape the ' in HTML. HTML doesn't process like that. Instead if will link to The_Contractor\ instead of just The_Contractor

     

     

    No, but it will prevent the javascript parser from terminating the string there.



  • I guess I sort of figured that everyone would realize that escaping the quotation would fix the Javascript problem in Yahoo's case.  I mean, you obviously can't use a single quote inside a value that's delimited by, duh, single quotes -- but the bigger WTF to me (and one I'm still not sure how to answer) is, why are so many portals unprepared for this, given that single quotes are valid URL characters?  Look above, the URLs cause a problem with Yahoo, Google, Newshutch...  Are these guys expecting URLs coming from the RSS feed to forbid embedded single quotes from some (obviously unenforced) standard that Alex is violating?  Or are they all just making the same oversight?



  • @sycro said:

    @plazmo said:

    Its just a bug where the ' in the string at "The_Contractor's_Note.aspx" isnt escaped

    should be like "The_Contractor\'s_Note.aspx"


     

    How exactly is that going to help? That won't actually escape the ' in HTML. HTML doesn't process like that. Instead if will link to The_Contractor\ instead of just The_Contractor

     

     

     

     

    The problem is not that there is a ' in the URL and has nothing to do with html.  A ' in the url is valid, try the url it works.

    The ' is terminating the javascript string. That is the only problem here.... 



  • For those of you watching this thread for an update with bated breath, I found out thru an email from Alex that the single quote problem is, in fact, a problem with his forum software.....

    This issue has been logged in the bug-tracking software I use. It’s a bit tricky to fix, since the Encode function is global and would break all old URLs if changed, but it’s definitely on the list. In the meantime, I will be careful to avoid (‘) characters =-

    Alex

    <FONT color=#000000>So, there you have it.</FONT>



  • @wgh said:

    For those of you watching this thread for an update with bated breath, I found out thru an email from Alex that the single quote problem is, in fact, a problem with his forum software.....


    Insert dead horsebeating here: the real WTF, as always, is...



  • @wgh said:

    For those of you watching this thread for an update with bated breath, I found out thru an email from Alex that the single quote problem is, in fact, a problem with his forum software.....

    This issue has been logged in the bug-tracking software I use. It’s a bit tricky to fix, since the Encode function is global and would break all old URLs if changed, but it’s definitely on the list. In the meantime, I will be careful to avoid (‘) characters =-

    Alex

    <font color="#000000">So, there you have it.</font>

     hooray!
     


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.