Limitations of HTML's title element

by @edent | # # # # | 7 comments | Read ~217 times.
The raw HTML displays in the tab.

How much do you know about the humble <title> tag? It has been there since the earliest HTML specification. The 1995 spec says: There may only be one title in any document. It should identify the content of the document in a fairly wide context. It may not contain anchors, paragraph marks, or highlighting. Remarkably…

Continue reading →

A curious way to break Twitter's search results

by @edent | # # # | Read ~173 times.
Screenshot of a tweet. The HTML is malformed.

(This isn't really a security issue, although I've disclosed it to the Twitter team.) "Fuzzing" is a computer science term which means "sending weird data into a program and seeing what happens." It's a useful way to see how your code can break in new and unexpected ways. It's particularly good at showing what a…

Continue reading →

MailChimp leaks your email address

by @edent | # # # # | 7 comments | Read ~4,281 times.
Change email address page with obscured email address

An annoying privacy violation from leading email newsletter company MailChimp. Responsibly disclosed on 2017-12-04. When you click a link on a webpage or an email, your browser opens up that link and sends the newly visited webpage a Referer Header. (The misspelling is a historical artefact.) This says "Hello new site, I was referred here…

Continue reading →

Mapping in HTML - a proposal for a new element

by @edent | # # # # | 17 comments | Read ~4,887 times.
Two men are confused by a paper map

This is a sketch of a proposal for a new HTML element to simplify displaying maps on a website. I'd like your comments and criticisms before I submit it. This is born out of my frustration of using different JavaScript mapping solutions - my phone has a mapping app, why do I need to share…

Continue reading →

How *not* to do a password change page

by @edent | # # # # # | 3 comments | Read ~348 times.

We've all been faced with this screen, right? You haven't logged in to a website for a while, so it prompts you to change your password. sigh Annoying but probably necessary. The problem was, every time I tried to change my password, it told me that my old password was invalid. The one that I'd…

Continue reading →

Minimum Viable XSS

by @edent | # # # | Read ~1,922 times.

Here's a fun little game for all the family! What is the minimum number of characters required to perform a successful XSS attack? Let's take an entirely theoretical example - suppose we have a site which echos back user input without sanitising it. So a search for " <em>" turns the whole page italic. *ahem*…

Continue reading →

Overlapping Animated GIFs

by @edent | # # | Read ~3,873 times.

Just a couple of silly experiments on a Sunday afternoon. I think it's beautiful to overly animated GIFs on top of one another. If the topmost GIF has a transparent background it becomes hypnotic to see the synchronisity which appears to develop - akin to listening to Dark Side of the Moon while the Wizard…

Continue reading →

How Should We Punctuate on the Web?

by @edent | # # | 2 comments | Read ~135 times.

Imagine, just for a moment, you were a computer. Take a look at the following sentence and try to work out where and how you should hyperlink the text. He said "You should visit http://example.com/!" Obvious, isn't it? Except, of course, it's not really that simple. There could well be a file named "!" on…

Continue reading →

BBC News Don't Get Responsive Design

by @edent | # # # # | Read ~263 times.

In October, I was interviewed in Econsultancy about the BBC's new "responsive" website. I said: The BBC's mobile site is fairly responsive. If you view it on different sized phones and tablets it adapts quite well. But it is an entirely separate site from the main BBC news site. The BBC are doing device detection…

Continue reading →

Should < img > Deprecate "height" and "width"?

by @edent | # # # # # # | 1 comment | Read ~608 times.

Image adaptation and resizing is a hot topic at the moment. With devices of varying screensize accessing your site, how do you ensure that the crappy 240*240 phone gets a reasonable experience while still making everything look gorgeous on the retina-busting iPad? One of the very first things we're taught in HTML school is that…

Continue reading →