« Wretched Excess: Blue LED Christmas Tree | Main | Reading List: Mercury »

Tuesday, December 5, 2006

Computing: Feedback Form Updated

I have just posted version 1.1 of the Fourmilab Feedback Form, which has been in production test since last week. Since no problems have been noted, either by users sending feedback or from scrutiny of the Web server error log, I'm releasing the source code for folks who wish to install it on their own sites, along with the corresponding documentation update.

Although the documentation for the feedback form was updated to XHTML 1.0 some time ago, the form itself, its confirmation and error messages, and (if configured) the HTML mail it sent remained sloppy old HTML 3.2. The new version generates XHTML 1.0 (Transitional) for all of these documents, and all have been validated for compliance by the W3C Markup Validator.

In addition, a few potential “HTML injection” vulnerabilities have been corrected. These are circumstances in which a clever (or in some cases, brow-ridged knuckle-walking obvious) use of HTML mark-up in user-specified input could pass through to the HTML returned to the user or sent in HTML mail to the designated recipient of the feedback. This can create what is called a “cross-site scripting” vulnerability, but, since in this case users can only send the injected HTML back to themselves or the unspecified address to which the feedback is sent, the potential damage was limited compared to the general case. Still, 'twere better fixed, and 'tis this very day.

Although the documentation was already in XHTML 1.0, it now uses CSS for more of the presentation specifications, and Unicode entities for special characters such as opening and closing quotes and dashes.

Posted at December 5, 2006 22:56