Hi all, On Wed, 10 Dec 2003 13:01:42 -0500 Valdis Kletnieks wrote: > Most reasonable software will put in an outline-box or "\NNN", or > other similar indication a glyph is not displayable in the charset > in use, and then *continue trying* to render the rest of the > string.
I disagree that software should attempt to continue parsing URL's (and *ML code for that matter) after an error or if something unexpected happens. This is asking for lots of new vulns. Instead, everything should come to a halt and a "page" or errorbox should say "Bad URL syntax". An IE warningbox for "legitimate" use of @ in URL's would be great. In case of SSL, the lock icon should *immediately* disappear, and an (optional) warningbox should popup, if the hostname in the cert no longer matches *either* the one displayed in the URL combobox *or* the actual underlaying connection. Also, probably it is a good idea to have the page turn blank (or have a red cross) as soon as the displayed URL doesn't match the connection (for example if someone starts to manually edit the URL, but eventually does not press enter). Now for the fun part. Some people have rightfully expressed their concerns whether https://www.betaplace.com actually is a Microsoft site (it is). To confirm, visit https://www.betaplace.microsoft.com ; it works, however currently the certificate is invalid (hostname mismatch). Here's my tip for Microsoft (acks to Petard :) Save to file whatever.htm, and open that in MSIE: -------------- start cut here ------------- <HTML><BODY> <a href="https://www.betaplace.microsoft.com"; onclick="location.href=unescape( 'https://[EMAIL PROTECTED]/betaplace/sign-in/betaplace.asp' ); return false;"> Visit the *REAL* Microsoft's BetaPlace site</a> </BODY></HTML> -------------- end cut here ------------- Note: if the line with '' in the middle wraps, unwrap it before saving to the htm file. There shouldn't be any spaces in it. The blank lines in between are okay. Cheers, Erik On Thu, 11 Dec 2003 19:20:14 +0000 Petard wrote: > It gets better... it works with SSL sites as well. The little lock, and > no warning message: > http://petard.freeshell.org/hotmail-pr.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
