Jump to content

midnite

Members
  • Posts

    179
  • Joined

  • Last visited

Posts posted by midnite

  1. In the image attached below, in the (3) light blue content assist box, on the left there are 5 Firefox browser icons. What do they mean? Seemingly they mean those methods are only supported in Firefox. But of what versions? And if a certain element is supported in both Firefox and Chrome, but not IE, how will it show (as there is only 1 column space for 1 icon)?

     

    uKa4i.png

     

    (image from http://www.jetbrains.com/phpstorm/webhelp/familiarize-yourself-with-phpstorm-editor.html)

     


     

    On the other hand, in Aptana, there are different columns of browser icons, showing levels of support by light up or not.

     

    TO4qX.png

     

    (image from http://aptana.com/products/studio3)

     

    In addition, in the description area, detailed browser versions of support is also shown.

     

    VL5bX.png

     

    (image from my test of Eclipse + Aptana plugin)

     


     

    If one asks why dont i just use Aptana, and forget about PHPStorm? As there are some significant drawbacks while coding JS in Aptana, and some says Aptana browser version support is not worth trusting. That's why I am looking for different IDEs.

     


     

    In conclusion, how to understand browser icons in PHPStorm content assist?

  2. Thanks DaveJ. Yes it is tricky for both PHP and JS, as the classes are not really related to the files. I have tested for a few versions of Eclipse. Most of them can cross-files reference PHP. But when it comes to JS, it depends (will be explained later).

     

    While testing different IDEs, i particular like the Aptana or the Eclipse with the Aptana plugin, which it provides "level of support for each element in the major web browsers" in its content assist (works for both PHP & JS): (Does Netbeans have this?)

    S3-1-lrg.png

     

    Let me sidetrack a bit. As fas as i know, there are 3 ways to define classes (objects) in JS:

     

    A) using var o = {}

    var o = {  field: "...";  method: "function() { /* ... */ }}

    B) using function() {}

    function f() {  this.field = "...";  this.method = function() { /* ... */ };}

    C) using var a = function () {}

    var a = function () {  this.field = "...";  this.method = function() { /* ... */ };};

    However, neither Aptana nor Eclipse with Aptana plugin can cross-files reference objects defined by method B and C. Both of them only work for method A.

     

    On the other hand, Eclipse with the JavaScript Development Tool (JSDT) plugin, or Eclipse with the PHP Development Tool (PDT) plugin, they only work for method B and C. In addition, they cannot show browser version support in the content assist (as they are not Aptana).

     

    As a result, i have to use both Eclipse + Aptana and Eclipse + JSDT for a complete function. Using two IDEs at the same time is not convenience.

     

    In conclusion, a perfect IDE for me would be:

    1. Cross-file reference for both PHP and JavaScript (for all methods #A #B #C).
    2. Showing browser version support in the content assist.

    (1 would be the priority, 2 is the second most important though.)

     

    Note that, in my tests, no Eclipse version can satisfy #1.

  3. Thanks DaveJ. What am I looking for is exactly the feature you mentioned in your first paragraph. Yes it seems to be a must-have feature for every Java IDE. But for PHP and JS, some IDE cannot do this. They can only look up the class definition within the same file.

  4. Thanks DaveJ for reply. What do you mean? In fact I can code well in Notepad++ or even Notepad. But as I would like to make my JS and PHP go OO, build some objects like i did in Java, an IDE with cross-files referencing would be very very handy (esp eliminate many misspells).

  5. dsonesuk, i used overflow: hidden; to visually hide elements going outside the #jail. In your examples, you used overflow: auto; (which i found it is even better as it adds the scroll bars if necessary) that can also prevent HTML goes visually outside the #jail. Do you think it is enough?

  6. Thanks dsonesuk for explaining about the governing elements. I have a question.

    To force position: absolute; elements positioning to be governed by the parent container they are in, the parent container must use position: relative; otherwise its position will be governed by a outer element container using position: relative OR if none exists the browser window outer edges.

    In my simple test below, for a position: absolute; inner element, in addition to being governed by a position: relative; outer element, it can also be governed by a position: absolute; outer element. Isn't it?

    <html><head><style>#outer {  position: absolute;  overflow: auto;  border: 1px dotted red;  height: 200%; width: 50%;  left: 25%; top: 25%;}#inner {  position: absolute;  top: -10px; right: -10px;}</style></head><body><div id="outer">  <div id="inner">    just a line of text  </div></div></body></html>

    However, I do agree that, if both position: relative; and position: absolute; can be used to govern the inner elements, using position: relative; would be a better choice, as it is more friendly to other elements in the webpage.


    Position: fixed; positioning is ONLY governed by the browser window outer edges.

    Secondly, do you mean that position: fixed; "reports" only to the browser window outer edges, thus position: fixed; elements can always breakthrough (ignore) its outer element(s)?


    I guess I didn't state my question and objective clear enough in the first post.
    • [*]I will have a <div id="jail"></div> in my webpage.[*]Inside the <div id="jail"></div>, I will load the user-supplied (X)HTML codes.
      • [*]To prevent XSS, those user-supplied (X)HTML codes will be sanitised by HTML Purifier.

    [*]I will allow also user-supplied CSS for adding styles to their elements.

    • [*]To avoid user-supplied CSS messing up with my elements, all user-supplied CSS will be prefixed with #jail.

    [*]My objective is to add certain styles to <div id="jail"></div> (or using any other approaches) such that no user-supplied content will be displayed outside <div id="jail"></div>.

    Thanks dsonesuk again for your help. Do you have any ideas?

  7. I don't do much with XML or XSL, but it seems like a weak point of that might be your test cases. There might be some XSL which will pass your test cases but would do something different with other XML data. In general though, XSL is not to be trusted. People can include other XSL files from other domains or any number of other things. If you are accepting untrusted XSL and you're using it to produce output for your site, then that is definitely a security issue. There is a summary of some of the issues here: http://msdn.microsoft.com/en-us/library/ms763800(v=vs.85).aspx

    Thanks @justsomeguy for providing this reminder that XSLT will cause DoS and XSS. In addition, some others also say that XSL is Turing Complete that can do anything to harm the server and scripts. In addition, I would have to avoid the Billion Laughs attack in XML too. I guess I have to modify my step (1) to:

    • [*]User submits a piece of XSL code XHTML code with my special tags - for example, I allow [for-each], [choose], [when], etc.
      • [*]As they are in fact a white-list of XSLT tags, then i validate and replace those tags with actual XSLT tags.

    [*]In the server, there are some sample data (sample XMLs). PHP is used to do the XSL transform with those sample XML data.[*]Pass the output XHTML to HTML Purifier. If HTML Purifier detects any prohibited elements in the code, stop process and show the errors to user.[*]If it passes HTML Purifier, check it against the W3C validator. (This is just a double check. Outputs from HTML Purifier should be valid.)[*]Save the piece of XSL code into database. Use (include) it whenever needed.

     

    For the sample test cases, I will include as many special cases as possible.

  8. I am going to design a webpage, which contains <div>(s) that allow users to submit their (X)HTML with CSS, and being inserted into those <div>(s). I understand it will suffer from XSS seriously, so I will use HTML Purifier to sanitise the (X)HTML and CSS. For instance, I will definitely not allow <script>, <iframe>, and external resources. But I wish to allow almost all other tags and CSS attributes. Here comes the question. I wish to keep client elements (visually) inside the <div>(s). I have tried a partial solution, by using position: absolute; and overflow: hidden;, as follow:

    <html><head><style>div#jail {  position: absolute;  overflow: hidden;  border: 1px dotted red;  height: 200%; width: 50%;  left: 25%; top: 25%;}/* All client's CSS is ensured prefixed with div#jail */div#jail .client_code {  margin: 0;  position: absolute;  top: -8px;  z-index: 1000;}</style></head><body><div id="jail">  <p class="client_code">elements being jailed</p></div></body></html>
    The effect of the codes above is as follow: post-8945-0-48037300-1387554782.png The red dotted line is the "Jail". The purpose is to make any HTML codes with any CSS (prefixed with div#jail) to visually keep inside the box. As shown above, the line of text tried to move out of the box. However, because of overflow: hidden, it is just clipped. So nothing could escape the "Jail". This is good. So far, I have successfully jailed <p> inside div#jail for most kinds of client's HTML elements and CSS, except when user uses position: fixed;.
    div#jail .client_code {  position: fixed;  top: 0px;}
    The following is the screen capture, which the "jail" failed: post-8945-0-66431200-1387554793.png As shown above, if the position: fixed CSS is applied to the jailed elements, the result is that the line of text can be shown outside the box - i call it a breakthrough of the jail. This is not good. So, my question is, how to ensure everything are visually "jailed" inside the box? If position: fixed is the only CSS which can cause this breakthrough, i can just prohibit position: fixed and the Jail would be enforced. If there are any other ideas/design to achieve this, any solutions are welcomed! Thanks a lot!
  9. Can you upload pictures please of your current design and what you want it to look like.

     

    This way I will be able to help you.

     

    Thanks MarkT for willing to help. Here are the screenshots for the design illustration.

     

    post-8945-0-48037300-1387554782_thumb.png

     

    Firstly, the red dotted line is the "Jail". The purpose is to make any HTML codes with any CSS (prefixed with div#jail) to visually keep inside the box. As shown above, the line of text tried to move out of the box. However, because of overflow: hidden, it is just clipped. So nothing could escape the "Jail". This is good.

     

    post-8945-0-66431200-1387554793_thumb.png

     

    Secondly, if the position: fixed CSS is applied to the jailed elements, the result is that it can be shown outside the box - i call it a breakthrough of the jail. This is not good.

     

     

    So, my question is, how to ensure everything are visually "jailed" inside the box? If position: fixed is the only CSS which can cause this breakthrough, i can just prohibit position: fixed and the Jail would be enforced.

  10. I am going to design a webpage, which contains <div>(s) that allow users to submit their (X)HTML with CSS, and being inserted into those <div>(s). I understand it will suffer from XSS seriously, so I will use HTML Purifier to sanitise the (X)HTML and CSS. For instance, I will definitely not allow <script>, <iframe>, and external resources. But I wish to allow almost all other tags and CSS attributes. Here comes the question. I wish to keep client elements (visually) inside the <div>(s). I have tried a partial solution, by using position: absolute; and overflow: hidden;, as follow:

    <html><head><style>div#jail {  position: absolute;  overflow: hidden;  border: 1px dotted red;  height: 200%; width: 50%;  left: 25%; top: 25%;}/* All client's CSS is ensured prefixed with div#jail */div#jail .client_code {  margin: 0;  position: absolute;  top: -8px;  z-index: 1000;}</style></head><body><div id="jail">  <p class="client_code">elements being jailed</p></div></body></html>

    So far, I have successfully jailed <p> inside div#jail for most kinds of client's HTML elements and CSS, except position: fixed;.

    div#jail .client_code {  position: fixed;  top: 0px;}

    So, is it ok to only block position: fixed;, and the jail would be tough and valid? If there are any other ideas/design to achieve this, any solutions are welcomed! Thanks a lot!That is, if users use CSS position: fixed;, their elements could breakthrough the jail:

  11. In my webpage, I am going allow clients (X)HTML. To avoid XSS, I will use HTML Purifier, and disable the <script> tag (and some other dangerous tags).

     

    Yet I would like to enable designers of those (X)HTML to use certain programming-like features, for example displaying a list of items, which would need a for-loop.

     

    Then I came up with the idea that : users submit the XSL code, I provide the XML with the data required by the users.

     

    As HTML Purifier cannot sanitise XSL code (can it?), my proposed flow would be:

    • [*]User submits a piece of XSL code.[*]In the server, there are some sample data (sample XMLs). PHP is used to do the XSL transform with those sample XML data.[*]Pass the output XHTML to HTML Purifier. If HTML Purifier detects any prohibited elements in the code, stop process and show the errors to user.[*]If it passes HTML Purifier, check it against the
    W3C validator. (This is just a double check. Outputs from HTML Purifier should be valid.)[*]Save the piece of XSL code into database. Use (include) it whenever needed.

    Do you think the flow above can assure the final XSL code saved into the database is clean (given that HTML Purifier is perfect)?

     

    Another concern is that, (this is the main question here), is it safe to accept arbitrary XSL codes, and perform XSL transform by PHP in the server? Could there be any security holes that some XSS, injection, etc being included in the XSL codes, such that being harmful to the server or the PHP programs?

     

    Finally, if there are any other ideas/design to achieve this, any solutions are welcomed!

     

     

    Thanks a lot!

  12. First of all, i am particularly focusing on the cross-reference across files feature.

     

    What is it? Simply say, it is like writing Java in Eclipse or Netbeans:

    • When we "dot" a class, a pull down list of member variables show up.
    • When we "ctrl + click" on a usage (of a variable, of a class, of a method, etc), it jumps to the definition of it.

    I particularly see this feature very helpful, especially when our project goes huge. If we don't need the benefits from this feature, why not use the free and quick editor - Notepad++ ?

     

    Many PHP dev tools are equipped with the reference feature. But not many of them can do it across different files. (means in case the definition occurs in a different file of usage.)

     

    While I was finding such a (free) IDE which can do this, I heard people keep saying the Eclipse PDT cannot reference across files. Until today, I give it a try. And surprisingly, Eclipse can do it!

     

    With the following code snippets:

     

    Car.php

    <?phpclass Car {    public function get_type() {        return $this->type;     // reference OK    }    public $type = 'ferrari';}class Engine {    public function running_in() {      // in same file        $car = new Car();               // of course this can ref Car        echo $car->get_type();          // of course this ok too        return $car->type;              // of course this ok as well    }}?>

    Driver.php

    <?php//include 'Car.php';        // works even without include$car = new Car();           // reference OKecho $car->get_type();      // reference OKecho $car->type;            // reference OK?>

    Although this is a good news. Yet I still want to know why people says Eclipse PDT cannot reference across files? Is there any misunderstandings, that I am implementing it wrongly?

     

    Also, as many people say, Eclipse is slow because it is Java based. I am ok with the speed. But I still want a comparison list of features of different Web Dev IDE.

     

    Thanks for any input about Web Dev Tool discussion!

     

    P.S. In addition, JavaScipt list of methods with browser supporting versions (like what Aptana has) would be a very nice feature too!

  13. Thanks very much for your help! I tried using border-bottom to simulate the underline. But it does not really like an ordinary underline - it is a few pixels further away from the text. I would like to use padding-bottom to pull it back. But padding-bottom does not allow negative values. Please have a look.

    <style type="text/css">  a.one { color: #000000; text-decoration: none; }  a.one:hover, a.one:active { text-decoration: underline; }   a.two { color: #000000; text-decoration: none; padding: 0px 4px; }  a.two:hover, a.two:active { border-bottom: 1px solid red; }</style><a class="one" href="#"> w3schools </a><a class="two" href="#">w3schools</a>

    Thanks,midnite

  14. Hi there, I would like to know if there is a nicer CSS approach for the following effect:

    <style type="text/css">  a { color: #000000; text-decoration: none; }  a:hover, a:active { text-decoration: underline; }</style><a href="#"> w3schools </a>

    Using & nbsp; in both sides is a way. But can I use padding, and include a "box" inside the <a> and let the <a> underline the whole "box" with padding? (i tried but this does not work.) The concept is:

    <style type="text/css">  a { color: #000000; text-decoration: none; }  a:hover, a:active { text-decoration: underline; }  div { padding: 0px 2px; }</style><a href="#"><div>w3schools</div></a>

    It underlines only the words, but skipping the paddings :( THANKS very much for any helps or input!midnite

  15. Hi folks, When i did xslt_create(); and i got Fatal error: Call to undefined function xslt_create() in C:\Program Files\EasyPHP-5.3.9\www\index.php on line 7. I just guess the XSLT module is not installed in my EasyPHP by default. I did quite a few googling, but i still cannot find one set of installation steps works. May i ask if any one here has XSLT on EasyPHP and please kindly tell me how you did it. Many many many thanks!!midnite spec:Windows 7EasyPHP 5.3.9

    • Like 1
  16. nope it is hard coded into every browser. If you could do this you could change anything about the site and fool people into giving to information, etc.
    can i access the DOM tree (or raw html) in a frame (not iframe)? i mean i just want to get information from the remote sites, not changing (not it's nothing different, i guess)
  17. Thanks for your help and sharing your experience =)What if adding an index to the field last_login in the table Login_table? Doing such a MAX() and JOIN will be just working on indexes. Will it be better?i am not feeling good if i am keeping any unnecessary redundant data. And also it has the risk of data inconsistency (login time is not that important though, if in the case of a forum or blog likes yours, it will be strange and unacceptable for the inconsistency). Of course, if you have already get your blog's joining and sorting fields indexed and it also cause a dramatic decrease in performance, i must buy your point =)

  18. i would like to show the time of a user last login upon that particular user login again. For example, if i logged in at 2/4 6:30. And when i login again next time, the system will remind me that "Last login: 2nd April, 2007 6:30p.m."i will keep a log for all the login and logout. So you can imagine that it will be a huge table!!And also, i will have a table holding members' information of course.Here comes my question,1) should i add a field "last_login" in the members' table,2) or querying the most recent date for a particular member's ID in the login logout log table for the last login information?Method 2 is better if this query is fast enough and mySQL allows many queries to access the same table at the same time.Otherwise, method 1 will do a lot better in performance but it has data redundancy.

×
×
  • Create New...