If you're going to use IE's CSS expression() feature...



  • Don't make the dynamic property depend on arbitrary elements being present in the document, OK? It might save someone 5 hours of mind-numbingly convoluted and infuriating debugging one day. There's nothing quite like getting to the point where you have a page with NO scripts included on it that crashes based on the presence of a div with a certain name to drive you absolutely up the fucking wall.



  • IE8 ended this feature.



  • @Sunstorm said:

    IE8 ended the future.

    FTFY!


  • @DaveK said:

    @Sunstorm said:
    IE8 ended the future.
    FTFY!

    Normally I join in on every IE flame, but I don't even know if how this can be seen as a flame or as a praise of IE...



  • @derula said:

    @DaveK said:
    @Sunstorm said:
    IE8 ended the future.
    FTFY!

    Normally I join in on every IE flame, but I don't even know if how this can be seen as a flame or as a praise of IE...

    You don't have to either approve or disapprove of an earthquake merely in order to acknowledge its awesome overwhelming destructive force! 



  • @djork said:

    If you're going to use IE's CSS expression() feature... Don't

    Needs no more to be said.



  • The real WTF is considering using expressions in the first place...



  • I love expression.  A good deal of sites don't properly sanitize CSS so it's a great way to inject Javascript. 



  • @morbiuswilters said:

    I love expression.  A good deal of sites don't properly sanitize CSS so it's a great way to inject Javascript. 

    Thank you for reminding me why I use noscript.



  • @tgape said:

    @morbiuswilters said:

    I love expression.  A good deal of sites don't properly sanitize CSS so it's a great way to inject Javascript. 

    Thank you for reminding me why I use noscript.

    Which, of course, has absolutely nothing to do with what I was talking about.  The expression() construct is only supported by IE. 



  • @morbiuswilters said:

    @tgape said:

    @morbiuswilters said:

    I love expression.  A good deal of sites don't properly sanitize CSS so it's a great way to inject Javascript. 

    Thank you for reminding me why I use noscript.

    Which, of course, has absolutely nothing to do with what I was talking about.  The expression() construct is only supported by IE. 

    Then you fail at being able to generalise a concept.  Let me help you out: just pretend the original post was:

    Fri, Mar 20 2009 10:07 PM
    							    <a href="http://forums.thedailywtf.com/forums/p/11169/193718.aspx#193718">In reply to</a>
    							    
    							    </td>
    						    </tr>
    					    </tbody></table>
    				    </h4>
    				    <table border="0" cellpadding="0" cellspacing="0" width="100%">
    					    <tbody><tr valign="top">
    						    <td rowspan="2" class="ForumPostUserArea">
    							    <div class="ForumPostUserContent">
    							    <ul class="ForumPostUserPropertyList"><li class="ForumPostUserName">
    								        
    								                
    								                <img src="http://forums.thedailywtf.com/Themes/leanandgreen/images/user_IsOffline.gif" alt="" style="border-width: 0px;">
    								            
    								        <a href="http://forums.thedailywtf.com/members/tgape.aspx">tgape</a>
    								    </li><li class="ForumPostUserAvatar"><img src="http://forums.thedailywtf.com/utility/anonymous.gif" alt="" style="border-style: solid; border-width: 1px; max-height: 80px; max-width: 80px;"></li><li class="ForumPostUserIcons"><img src="http://forums.thedailywtf.com/Themes/leanandgreen/images/rankicons/rankTop200.gif" title="Top 200 Contributor" alt="Top 200 Contributor"></li><li class="ForumPostUserAttribute">Joined on Wed, Jul 16 2008</li><li class="ForumPostUserAttribute">Posts <a href="http://forums.thedailywtf.com/search/SearchResults.aspx?u=12800&amp;o=DateDescending">161</a></li></ul>
    							    </div>
    						    </td>
    						    <td class="ForumPostContentArea">
    							    <div class="ForumPostTitleArea">
    								    <h4 class="ForumPostTitle">
    								        
    									    Re: If you're going to use IE's CSS expression() feature...
    								    </h4>
    									
    							        
    
    							        <div class="ForumPostThreadStatus">
    							            
    							            
    					                    
    							        </div>
    
    								    <div class="ForumPostButtons">
    								        
    								        <a href="http://forums.thedailywtf.com/forums/AddPost.aspx?ReplyToPostID=193732&amp;Quote=False" class="CommonImageTextButton CommonReplyButton">Reply</a>
    								        
    								        
    								        <a onclick="return window.ctl00_ctl00_bcr_bcr_ctl00_PostList_ctl02_ctl17_ctl00_ServerPopulatedPopupMenu.LoadMenu(this, event, '12800:193732:18:Forum');" href="http://forums.thedailywtf.com/forums/t/11169.aspx" class="CommonImageTextButton CommonFavoriteButton">Favorites</a>
    								        <a onclick="return window.ctl00_ctl00_bcr_bcr_ctl00_PostList_ctl02_ctl18_ctl00_ClientPopulatedPopupMenu.LoadMenu(this,event,['12800','tgape','0','1','','','','/search/SearchResults.aspx?u=12800&o=DateDescending'],null);" href="http://forums.thedailywtf.com/forums/t/11169.aspx" class="CommonImageTextButton CommonContactButton">Contact</a>
    								        
    								    </div>
    							    </div>
    								
    							    <table style="table-layout: fixed;" border="0" cellpadding="0" cellspacing="0" height="100%" width="100%">
    								    <tbody><tr><td>
    								    <div class="ForumPostBodyArea">
    								    <div class="ForumPostContentText">
    									    <blockquote><div><img src="http://forums.thedailywtf.com/Themes/leanandgreen/images/icon-quote.gif"> <b>morbiuswilters:</b></div><div><p>bla bla bla bla bla bla CSS bla bla bla <i style="font-weight: bold;">there are many and often unexpected ways in which to inject</i> Javascript bla bla bla<br></p></div></blockquote>
    

    Thank you for reminding me why I use noscript.

    								    </div>
    								    
    								    </div>
    								    </td></tr>
    							    </tbody></table>
    						    </td>
    					    </tr>
    					    <tr valign="bottom">
    						    <td class="ForumPostFooterArea">	
    							    
    							    <ul class="ForumPostStatistics CommonPrintHidden" style="clear: both;"><li><br></li><li><a href="http://forums.thedailywtf.com/forums/ReportAbuse.aspx?ForumID=1&amp;ReportPostID=193732">Report abuse</a></li><li><a onclick="Telligent_Modal.Open('/forums/QuickReply.aspx?ReplyToPostID=193732',600,400,new Function('result', 'if (result != undefined && !result) { window.location.reload(false); }')); return false;" href="http://forums.thedailywtf.com/forums/t/11169.aspx">Quick Reply</a></li></ul></td></tr></tbody></table><p></blockquote>&nbsp;</p><p>Does <span style="font-style: italic;">that</span> make it any clearer how his post was a response to the ideas expressed in yours?&nbsp;</p>



  • @DaveK said:

    Then you fail at being able to generalise a concept.

    You spelled generalize wrong.  Your point is pretty stupid, too.  I have prepared the following dramatization to demonstrate.

     

    OP:  So my idiot coworker turned off into an alley on the way to the airport and we ended up getting lost and missed our plane!

    Me:  Sometimes you can get stabbed in an alley by the crackheads who live there.

    tgape:  Thanks for reminding me why I always wear a chainmail glove when cutting vegetables with a knife!

    Me:  WTF?

    You:  No, you are TRWTF!  See, both examples include knives so you just need to generalize your statement about getting stabbed by crackheads to any potentially dangerous situation involving knives!

    Me:  I really hope a crackhead kills you and rapes your dead body.

     

    I should also point out that NoScript is of minimal protection against Javascript injection.  If you are visiting an untrusted site, it's all well and good.  However, if it is a site you trust there's a good chance it uses Javascript anyway which means permitting scripts to run will simply let the injected JS run anyway.  So unless you inspect and comprehend all JS, CSS and HTML served up to you before executing it, you will still end up running the injected scripts.  NoScript does do some XSS blocking and "de-fanging" of some content, but it's really easy to circumvent these if you care to.



  •  @morbiuswilters said:

    @DaveK said:

    Then you fail at being able to generalise a concept.

    You spelled generalize wrong.

    Of course. If you care to open a dictionary, you can find thousands of other words that are spelled nothing like "generalise". Like "stupid", "idiot", "ignorant", "I", "am" or "trolling".

    If you turn to the letter 'g', however, and browse a bit, I'm certain you'll see "generalise", together with some text like "British variant of generalize".But let me save you the trouble: http://www.merriam-webster.com/dictionary/generalise



  • @morbiuswilters said:

    @DaveK said:

    Then you fail at being able to generalise a concept.

    You spelled generalize wrong

    No, dummy, I didn't spell "generalize" wrong, I spelled "generalise" exactly right.. 

    @morbiuswilters said:

    Your point is pretty stupid, too.  I have prepared the following dramatization to demonstrate.

    Thank you.  I have adjusted it to make it more accurate rather than whitewash your role.

    @morbiuswilters said:

    OP:  So my idiot coworker turned off into an alley on the way to the airport and we ended up getting lost and missed our plane!

    Me:  Sometimes you can get stabbed in an alley by the crackheads who live there.

    tgape:  Thanks for reminding me why I always wear a chainmail glove when cutting vegetables with a knife!

    Me:  WHY ARE YOU TALKING ABOUT SOMETHING DIFFERENT FROM WHAT I WAS TALKING ABOUT? IT MUST BE BECAUSE U R STUPID HAHA!!!1!!!

    You:  You fail at conversation and social skills!  Don't you know the difference between talking with someone and talking at them?

    Me: RAGE

    FTFY. 

    @morbiuswilters said:

    I should also point out that NoScript is of minimal protection against Javascript injection.  If you are visiting an untrusted site, it's all well and good.  However, if it is a site you trust there's a good chance it uses Javascript anyway which means permitting scripts to run will simply let the injected JS run anyway.  So unless you inspect and comprehend all JS, CSS and HTML served up to you before executing it, you will still end up running the injected scripts.  NoScript does do some XSS blocking and "de-fanging" of some content, but it's really easy to circumvent these if you care to.

    Riiiight.  So you're saying the only more effective measure is to disable javascript altogether, or to manually audit every single byte received by your browser?  Sounds to me like NoScript is therefore about the maximal protection possible.  What is your threat model?  Targeted attacks using little-known or 0-day XSS into your webmail account are a hell of a lot rarer than getting served up a bad iframe in an ad banner in my threat model, and NoScript blocks that perfectly.

     



  • @Mo6eB said:

    Of course. If you care to open a dictionary, you can find thousands of other words that are spelled nothing like "generalise". Like "stupid", "idiot", "ignorant", "I", "am" or "trolling".

    If you turn to the letter 'g', however, and browse a bit, I'm certain you'll see "generalise", together with some text like "British variant of generalize".But let me save you the trouble: http://www.merriam-webster.com/dictionary/generalise

    You use far too many commas.  Regarding this book you've discovered that is filled with the pidgin-speak of mongoloid foreigners who have mutilated by beautiful language by trying to speak it through their liquor-rotted teeth, I am not impressed.



  • @DaveK said:

    RAGE

     

    Did you just learn how to use MS Paint and how to embed images in your posts?  This is the third useless post you've made in the last couple of days where the centerpiece was a crudely made picture rather than a few sentences of retarded fluff.  These are much harder to ignore than your usual drivel.  If you could return to said drivel, I would be very appreciative.



  • @morbiuswilters said:

    Did you just learn how to use MS Paint and how to embed images in your posts?

    I wouldn't be too sure about that first part. He's probably found that picture in the tubes.

    Or maybe he done great work at imitating the original ... ahem ... artist.



  • @morbiuswilters said:

    @DaveK said:

    RAGE

     

    Did you just learn how to use MS Paint and how to embed images in your posts? 

    No, but thanks for playing; it's not my fault you have no short- or long-term memory.  If you need a hand recognising well-known internet memes, I suggest you use google.  If you need a hand ignoring things, I suggest you continue to use the copious quantities of alcohol that obviously already underlie your easily-frustrated narcissistic vanity.  If you actually want help with your impotent rage, I suggest you ask the Samaritans.  I understand they're not actually allowed to hang up on you, no matter how inane your problems.  Why don't you phone them up and tell them how stupid they are for bothering to engage you in conversation without sticking to your preferred script?  It's getting pretty old round here.



  • @morbiuswilters said:

    You use far too many commas.  Regarding this book you've discovered that is filled with the pidgin-speak of mongoloid foreigners who have mutilated by beautiful language by trying to speak it through their liquor-rotted teeth, I am not impressed.
    Damn straight!  Only those filthy foreigners spell "my" with an 'm'!



  • @morbiuswilters said:

    @DaveK said:

    Then you fail at being able to generalise a concept.

    You spelled generalize wrong.

    No, he spelled it right.  That's how you spell it in *English*.  His point is pretty stupid though.

     Oh, and it's dramatisation - with an *S* :p



  • @morbiuswilters said:

    You use far too many commas.  Regarding this book you've discovered that is filled with the pidgin-speak of mongoloid foreigners who have mutilated by beautiful language by trying to speak it through their liquor-rotted teeth, I am not impressed.
     

    BTW "generalise" is actually spelt with an s in most english speaking countries, i think it's only the american dialect of english which spells it with a 'z'.


Log in to reply