sam686 on Current Players

User Control Panel - 0 new messages - FAQ - Members - Logout [ Unknown ]
Servers Online: 10
Current Players: sam686, Zapgamer!,

That is what the current players list shown above the forums looks like in my browser. WTF? Why only sam686?

[sam686]

I named myself <font size=10>sam686</font> in game.

[sam686]

At first, I had a question why everything inside < > characters gets deleted when displaying current players. Then I found it is doing HTML code in web page. When my name was "<font size=10>sam686</font>", it shows up in the web page as
sam686

And If i named myself as "<font color=0000FF>sam686</font>" my name becomes blue in the web site.

[raptor]

And for an excellent example of XSS (cross-site scripting) hack, set your username to something like this:

  Code:

<p onclick='alert(\"yo\")'>dbuck

and then click on your name in the list at the top of the forum.

:]

D

[watusimoto]

Yeah... so I'd better fix that.

NO! Don't fix that Wat! That's really neat! It could have potential!

[watusimoto]

That's exactly the problem.

[sam686]

To fix, try this javascript code.

  Code:

str1=data.players[i];
str1=str1.replace("&","&amp");
str1=str1.replace("<","&lt;");

The html code will convert it back and display the exact name ( <b> < &#99 ).

I found a new problem, putting a quotation mark ( " ) once in a name will cause the status "server online" and "current players" to completely disappear, but will reappear when the player with a quotation mark leave. It is something to do with trying to read this data at http://bitfighter.org/bitfighterStatus.json

[watusimoto]

If you look at http://bitfighter.org/statusWidget.htm, you'll see that the code is fixed there, and that file gets included in the header of the forums. The problem is that the stupid forums get cached, and so far, despite clearing the cache about 20 times, I've been unable to get the new code to load.

So... the fix is coming. I'll look at the quote issue as well.

[raptor]

The problem is that the stupid forums get cached, and so far, despite clearing the cache about 20 times, I've been unable to get the new code to load.

If you have access to the HTTP response headers try setting:

  Code:

Cache-Control: no-cache

[sam686]

If you look at http://bitfighter.org/statusWidget.htm, you'll see that the code is fixed there, [...]

I just took a look at the source, and found this

  Code:

$("#widgetOutput").append(data.players[i].replace(/</g,"&lt;").replace(/&/g,"&amp;"));

The "&" needs to replace first. if "<" replace first, then "&", then "<" becomes "&amp;lt;" and HTML outputs as "&lt;".

When "&" replace comes first, then "<" should be "&lt;" and HTML output "<". Test this by putting "<b>" in player game name.

[watusimoto]

Well... I think it's fixed, except for dbuck's name which maybe killing the whole display...

[sam686]

home page have the same (edit: same old) problem. http://bitfighter.org

[watusimoto]

Yes it does. One thing I need to do is make that read from the same file as the one in the forums does. That one is done with a copy of the code, and needs a bit of attention.

[sam686]

google chrome web browser, javascript console.
statusWidget.htm:39 Uncaught SyntaxError: Unexpected token )

When i view http://bitfighter.org/statusWidget.htm

[raptor]

Well... I think it's fixed, except for dbuck's name which maybe killing the whole display...

Gotta love them semi-colons.

I suggest you do sanitization server side before it is displayed in browser. Like have php (or what ever is handling the requests/responses) prepare any strings before sending it over the internet.

[watusimoto]

I was thinking the same thing. In 14.0, quotes will be disallowed in usernames, so part of the problem will be handled that way.

[sam686]

This is not fixed, try this.

  Code:

//Currently, wrong?
$("#widgetOutput").append(data.players[i]).replace(/&/g,"&amp;").replace(/</g,"&lt;");
//right
$("#widgetOutput").append(data.players[i].replace(/&/g,"&amp;").replace(/</g,"&lt;"));
//wrong order, < becomes &amp;lt;
$("#widgetOutput").append(data.players[i].replace(/</g,"&lt;").replace(/&/g,"&amp;"));

[watusimoto]

OK, it is now fixed on the server side by dbuck. This was a very interesting thread. It may also explain why sometimes the widget appears dead -- perhaps a player was using a name that made it conk out.

:'(

[watusimoto]

In 014, we'll have verified names, and when I get the stats moved from a text file to a proper database, we could style player names differently based on their level of play. Or something.

a shame i made my name alwasy be white now its not.