How much do you know about the humble <title> tag? It has been there since the earliest HTML specification. The 1995 spec says: There may only be one title in any document. It should identify the content of the document in a fairly wide context. It may not contain anchors, paragraph marks, or highlighting. Remarkably little has changed in the intervening decades. The modern HTML5 spec…
Continue reading →
(This isn't really a security issue, although I've disclosed it to the Twitter team.) "Fuzzing" is a computer science term which means "sending weird data into a program and seeing what happens." It's a useful way to see how your code can break in new and unexpected ways. It's particularly good at showing what a website's search engine does when it is confused. For example, here's a fairly…
Continue reading →
An annoying privacy violation from leading email newsletter company MailChimp. Responsibly disclosed on 2017-12-04. When you click a link on a webpage or an email, your browser opens up that link and sends the newly visited webpage a Referer Header. (The misspelling is a historical artefact.) This says "Hello new site, I was referred here by this previous website." This has some privacy…
Continue reading →
This is a sketch of a proposal for a new HTML element to simplify displaying maps on a website. I'd like your comments and criticisms before I submit it. This is born out of my frustration of using different JavaScript mapping solutions - my phone has a mapping app, why do I need to share my location with a website and their mapping provider? At the moment, if I want to use Google Maps, or…
Continue reading →
We've all been faced with this screen, right? You haven't logged in to a website for a while, so it prompts you to change your password. sigh Annoying but probably necessary. The problem was, every time I tried to change my password, it told me that my old password was invalid. The one that I'd just used to log in. I use the incredible LastPass Password Manager - so I knew I wasn't typing…
Continue reading →
Update! I now have an XSS which is only 18 characters! Here's a fun little game for all the family! What is the minimum number of characters required to perform a successful XSS attack? Let's take an entirely theoretical example - suppose we have a site which echos back user input without sanitising it. So a search for " <em>" turns the whole page italic. ahem A hacker might think, "Hurrah! …
Continue reading →
Just a couple of silly experiments on a Sunday afternoon. I think it's beautiful to overly animated GIFs on top of one another. If the topmost GIF has a transparent background it becomes hypnotic to see the synchronisity which appears to develop - akin to listening to Dark Side of the Moon while the Wizard of Oz is on the TV. The background and foreground have differing periods of motion,…
Continue reading →
Imagine, just for a moment, you were a computer. Take a look at the following sentence and try to work out where and how you should hyperlink the text. He said "You should visit http://example.com/!" Obvious, isn't it? Except, of course, it's not really that simple. There could well be a file named "!" on the webserver. Infact, there could be file named "!"" on there. And yet, to my tastes, …
Continue reading →
In October, I was interviewed in Econsultancy about the BBC's new "responsive" website. I said: The BBC's mobile site is fairly responsive. If you view it on different sized phones and tablets it adapts quite well. But it is an entirely separate site from the main BBC news site. The BBC are doing device detection and redirecting mobile users. It's not a bad strategy per se - but it is not…
Continue reading →
Image adaptation and resizing is a hot topic at the moment. With devices of varying screensize accessing your site, how do you ensure that the crappy 240*240 phone gets a reasonable experience while still making everything look gorgeous on the retina-busting iPad? One of the very first things we're taught in HTML school is that we should separate content and style. <span font="comic sans"…
Continue reading →
Here's the introduction I gave to London Web Standards for their State of the Browser conference. Slideshare seem to have screwed up some of the formatting, but here are the slides. State of the Browser - London Web Standards from Terence Eden Full details of the day on Lanyrd. Thanks to Nick and the rest of the team for inviting me. It was an excellent day full of demos,…
Continue reading →
As any student of computer science knows, line breaks are confusing. There are styles of line breaks unique to Unix, Mac and Windows - so what should a web renderer do when faced with a newline command? In HTML, it's simple, they should be ignored. But what when it is user generated text, not HTML? This was a problem I faced when trying to get Dabr to render the ASCII art produced by Aral…
Continue reading →
