AJAX without the A and the X



  • Copypasted from a submission from a while ago, there might be some errors:

    While trawling the net to find that one really good but elusive album, I came upon this gem of a music store. Searching for anything at all causes the server to dump a 120+ KB html file with embedded javascript onto the client. Since the site is otherwise exceedingly spartan, I examined the source of the frame, and found the attached abomination.

    Now, at first glance it's just the 1247 array assignments that stick out, one for each product in the store. A second glance shows that the search is an iteration over this array, comparing with the search string. The operative expression is:

    if (search_items[i].name.toLowerCase().indexOf(parent.parent.parent.extra.core.searchPhrase) != -1) {

    Some nice cross-frame scripting there. The search page is basically built with javascript entirely on the client, using data sent to the client embedded in javascript.

    The store is at http://www.cd-kauppa.fi/ but isn't the real perpetrator, since they're just using a webstore package from Shopfactory. Some googling reveals another site using that package and having the same flaw. This does appear to be an older version of the software, though.

    Unfortunately, the newer versions I found are starting to have a quite enterprisey feel to their frame/javascript complexity. For instance the page at http://www.ninisfavorites.com/ (uses version 6), looking at toc.html in the left frame, I count at least 11 separate script tag blocks. Towards the end of the file is this one, that causes the search box to be displayed:

    <input class="SearchTextField" type="text" name="phrase" size="12" maxlength="40" value="lds" onfocus="javascript:if(this.value==\''+ld('LD_SEARCHPHRASE')+'\')this.value=\'\';" onblur="javascript:if(this.value==\'\')this.value=\''+ld('LD_SEARCHPHRASE')+'\';">

    The dw() function is simply this:

    function dw(s){document.write(s);}

    In fact, this function is used all over the place. The ld() function on the other hand fetches a string from the top document in the frameset stack, probably for I18N purposes, but with its obfuscation and eval() calls, I'm getting headaches by now. I'm almost suspecting that the whole thing is some kind of client-side dynamic web site...

    Speaking of frameset stack, the journey continues: using the DOM inspector, I count 7 different framesets with a max nesting level of 5, while tables come in at 10, nesting level 3. Total amount of script tags: 58.

    I found a version 7 lite laying around in the usual shady repositories for software and installed it, and it offered some improvement: just one frameset and 54 script tags from the main page. As browser punishment, it introduces 34 iframes instead, and I didn't even put in any content yet.

    I attempted to download a trial version just for kicks, but they wanted an email address, with the explicit intention to put it on their mailing list with no opt-out and an alleged unsubscribe, so I passed on that. The price seems to be 319 / 639 euro for pro/gold version respectively.


    Unfortunately, (or fortunately), the music store ultimately didn't have the CD I was looking for.



  • This type of crap is all over some of the pages I have to maintain at my current job. Most of it was written 6 years ago and has grown into an unmanageable mess.



  •  Give them a mailinator address and try it out :)

    Is the dw() thing really a wtf though? It does save a few keystrokes...



  • @u2892 said:

    Is the dw() thing really a wtf though? It does save a few keystrokes...

    And bandwidth.  My assumption was that the OP was saying that using document.write() is retarded. 



  •  Wow- this really reminds me of the community server reply page!

    However, things actually improved. This page has only 147kb. And the "automatic tag completion" seems quite fast now.



  • @morbiuswilters said:

    And bandwidth.  My assumption was that the OP was saying that using document.write() is retarded.

    Good point. I was thinking purely from a design perspective, but it does probably save some keystrokes and code size. Then again, most variable names are normal-sized, in particular the search_table could be shortened to just s to save at least 13 KB per search page load.



  • @morbiuswilters said:

    @u2892 said:

    Is the dw() thing really a wtf though? It does save a few keystrokes...

    And bandwidth.  My assumption was that the OP was saying that using document.write() is retarded. 



    Not only bandwidth, but server CPU cycles as well, since the client handles all of the search functionality itself... Brillant! (I wonder how many resources it takes to serve up this monster of a page to every user, though...)



  • @Juifeng said:

    Wow- this really reminds me of the community server reply page!

    However, things actually improved. This page has only 147kb. And the "automatic tag completion" seems quite fast now.

    The random TagExceptions created by the script I wrote have been purged.  That added about 500k to every thread view if you were logged in.



  • @morbiuswilters said:

    The random TagExceptions created by the script I wrote have been purged.  That added about 500k to every thread view if you were logged in.
     

    Wow, thanks. Jackass. 



  • @Zylon said:

    Wow, thanks. Jackass.

    Why don't you bawl some more?  It was create to illustrate the retarded way Community Server was handling tag selection. 



  • @morbiuswilters said:

    Why don't you bawl some more?  It was create to illustrate the retarded way Community Server was handling tag selection.

    ...and inconvenience all registered users in the process. Hence why you are, in fact, a jackass.



  • @Zylon said:

    @morbiuswilters said:

    Why don't you bawl some more?  It was create to illustrate the retarded way Community Server was handling tag selection.

    ...and inconvenience all registered users in the process. Hence why you are, in fact, a jackass.

    It's a site about technical blunders running very WTFy forum software.  To not exploit it for amusement and profit would be wrong. 



  • @morbiuswilters said:

    It's a site about technical blunders running very WTFy forum software.  To not exploit it for amusement and profit would be wrong. 

    Agreed.

    Coincidentally, if you type a capital T in the tag field, it auto-completes TABLE_CAT. Release shift and you get TABLE_CATag abuseg abuse. OK, shoot, I want to delete this crap, so I hit home-shift-end. Now I have: TABLE_CATag abuseg abuse exception 0xDEADBEEF. WTF!?!?



  • @morbiuswilters said:

    It's a site about technical blunders running very WTFy forum software.  To not exploit it for amusement and profit would be wrong. 
     

    Everyone including Alex agrees that TRWTF is community server. That said, deliberately making it worse for all forum members can get you banned.



  • @ammoQ said:

    Everyone including Alex agrees that TRWTF is community server.

    So, this revelation tells me that CS is TRWTF and I should just disregard those "lern 2 use da forum software" posts? ;)



  • @danixdefcon5 said:

    So, this revelation tells me that CS is TRWTF and I should just disregard those "lern 2 use da forum software" posts? ;)

    CS is a WTF from the way the code works.  Not knowing how to use a simple WYSIWYG editor or quoting feature is still moronic. 



  • @morbiuswilters said:

    Not knowing how to use a simple WYSIWYG editor or quoting feature is still moronic.

    Except when said WYSIWYG editor decides not to load, as it seems to have done today. Many post WTF's have been because the standard editor fails to load, without clicking anything... it just doesn't load.

    Quoting mistakes, however, are true n00b mistakes.



  • @danixdefcon5 said:

    Except when said WYSIWYG editor decides not to load, as it seems to have done today. Many post WTF's have been because the standard editor fails to load, without clicking anything... it just doesn't load.

    This is caused by sluggish response from the server.  It's sucky but it's not the editor's fault and people who complain frequently are messing up the formatting on their own or are using a crappy browser that doesn't work with the editor.  Also, it's not like determining if you are using WYSIWYG is that difficult. 



  •  @danixdefcon5 said:

    Except when said WYSIWYG editor decides not to load, as it seems to have done today.

    That has nothing to do with the editor, but more your connection or patience.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.