Jump to content

midnite

Members
  • Content Count

    179
  • Joined

  • Last visited

Posts posted by midnite

  1. In the image attached below, in the (3) light blue content assist box, on the left there are 5 Firefox browser icons. What do they mean? Seemingly they mean those methods are only supported in Firefox. But of what versions? And if a certain element is supported in both Firefox and Chrome, but not IE, how will it show (as there is only 1 column space for 1 icon)?

     

    uKa4i.png

     

    (image from http://www.jetbrains.com/phpstorm/webhelp/familiarize-yourself-with-phpstorm-editor.html)

     


     

    On the other hand, in Aptana, there are different columns of browser icons, showing levels of support by light up or not.

     

    TO4qX.png

     

    (image from http://aptana.com/products/studio3)

     

    In addition, in the description area, detailed browser versions of support is also shown.

     

    VL5bX.png

     

    (image from my test of Eclipse + Aptana plugin)

     


     

    If one asks why dont i just use Aptana, and forget about PHPStorm? As there are some significant drawbacks while coding JS in Aptana, and some says Aptana browser version support is not worth trusting. That's why I am looking for different IDEs.

     


     

    In conclusion, how to understand browser icons in PHPStorm content assist?

  2. Thanks DaveJ. Yes it is tricky for both PHP and JS, as the classes are not really related to the files. I have tested for a few versions of Eclipse. Most of them can cross-files reference PHP. But when it comes to JS, it depends (will be explained later).

     

    While testing different IDEs, i particular like the Aptana or the Eclipse with the Aptana plugin, which it provides "level of support for each element in the major web browsers" in its content assist (works for both PHP & JS): (Does Netbeans have this?)

    S3-1-lrg.png

     

    Let me sidetrack a bit. As fas as i know, there are 3 ways to define classes (objects) in JS:

     

    A) using var o = {}

    var o = {  field: "...";  method: "function() { /* ... */ }}

    B) using function() {}

    function f() {  this.field = "...";  this.method = function() { /* ... */ };}

    C) using var a = function () {}

    var a = function () {  this.field = "...";  this.method = function() { /* ... */ };};

    However, neither Aptana nor Eclipse with Aptana plugin can cross-files reference objects defined by method B and C. Both of them only work for method A.

     

    On the other hand, Eclipse with the JavaScript Development Tool (JSDT) plugin, or Eclipse with the PHP Development Tool (PDT) plugin, they only work for method B and C. In addition, they cannot show browser version support in the content assist (as they are not Aptana).

     

    As a result, i have to use both Eclipse + Aptana and Eclipse + JSDT for a complete function. Using two IDEs at the same time is not convenience.

     

    In conclusion, a perfect IDE for me would be:

    1. Cross-file reference for both PHP and JavaScript (for all methods #A #B #C).
    2. Showing browser version support in the content assist.

    (1 would be the priority, 2 is the second most important though.)

     

    Note that, in my tests, no Eclipse version can satisfy #1.

  3. Thanks DaveJ. What am I looking for is exactly the feature you mentioned in your first paragraph. Yes it seems to be a must-have feature for every Java IDE. But for PHP and JS, some IDE cannot do this. They can only look up the class definition within the same file.

  4. Thanks DaveJ for reply. What do you mean? In fact I can code well in Notepad++ or even Notepad. But as I would like to make my JS and PHP go OO, build some objects like i did in Java, an IDE with cross-files referencing would be very very handy (esp eliminate many misspells).

  5. dsonesuk, i used overflow: hidden; to visually hide elements going outside the #jail. In your examples, you used overflow: auto; (which i found it is even better as it adds the scroll bars if necessary) that can also prevent HTML goes visually outside the #jail. Do you think it is enough?

  6. Thanks dsonesuk for explaining about the governing elements. I have a question.

    To force position: absolute; elements positioning to be governed by the parent container they are in, the parent container must use position: relative; otherwise its position will be governed by a outer element container using position: relative OR if none exists the browser window outer edges.

    In my simple test below, for a position: absolute; inner element, in addition to being governed by a position: relative; outer element, it can also be governed by a position: absolute; outer element. Isn't it?

    <html><head><style>#outer {  position: absolute;  overflow: auto;  border: 1px dotted red;  height: 200%; width: 50%;  left: 25%; top: 25%;}#inner {  position: absolute;  top: -10px; right: -10px;}</style></head><body><div id="outer">  <div id="inner">    just a line of text  </div></div></body></html>

    However, I do agree that, if both position: relative; and position: absolute; can be used to govern the inner elements, using position: relative; would be a better choice, as it is more friendly to other elements in the webpage.


    Position: fixed; positioning is ONLY governed by the browser window outer edges.

    Secondly, do you mean that position: fixed; "reports" only to the browser window outer edges, thus position: fixed; elements can always breakthrough (ignore) its outer element(s)?


    I guess I didn't state my question and objective clear enough in the first post.
    • [*]I will have a <div id="jail"></div> in my webpage.[*]Inside the <div id="jail"></div>, I will load the user-supplied (X)HTML codes.
      • [*]To prevent XSS, those user-supplied (X)HTML codes will be sanitised by HTML Purifier.

    [*]I will allow also user-supplied CSS for adding styles to their elements.

    • [*]To avoid user-supplied CSS messing up with my elements, all user-supplied CSS will be prefixed with #jail.

    [*]My objective is to add certain styles to <div id="jail"></div> (or using any other approaches) such that no user-supplied content will be displayed outside <div id="jail"></div>.

    Thanks dsonesuk again for your help. Do you have any ideas?

  7. I don't do much with XML or XSL, but it seems like a weak point of that might be your test cases. There might be some XSL which will pass your test cases but would do something different with other XML data. In general though, XSL is not to be trusted. People can include other XSL files from other domains or any number of other things. If you are accepting untrusted XSL and you're using it to produce output for your site, then that is definitely a security issue. There is a summary of some of the issues here: http://msdn.microsoft.com/en-us/library/ms763800(v=vs.85).aspx

    Thanks @justsomeguy for providing this reminder that XSLT will cause DoS and XSS. In addition, some others also say that XSL is Turing Complete that can do anything to harm the server and scripts. In addition, I would have to avoid the Billion Laughs attack in XML too. I guess I have to modify my step (1) to:

    • [*]User submits a piece of XSL code XHTML code with my special tags - for example, I allow [for-each], [choose], [when], etc.
      • [*]As they are in fact a white-list of XSLT tags, then i validate and replace those tags with actual XSLT tags.

    [*]In the server, there are some sample data (sample XMLs). PHP is used to do the XSL transform with those sample XML data.[*]Pass the output XHTML to HTML Purifier. If HTML Purifier detects any prohibited elements in the code, stop process and show the errors to user.[*]If it passes HTML Purifier, check it against the W3C validator. (This is just a double check. Outputs from HTML Purifier should be valid.)[*]Save the piece of XSL code into database. Use (include) it whenever needed.

     

    For the sample test cases, I will include as many special cases as possible.

  8. I am going to design a webpage, which contains <div>(s) that allow users to submit their (X)HTML with CSS, and being inserted into those <div>(s). I understand it will suffer from XSS seriously, so I will use HTML Purifier to sanitise the (X)HTML and CSS. For instance, I will definitely not allow <script>, <iframe>, and external resources. But I wish to allow almost all other tags and CSS attributes. Here comes the question. I wish to keep client elements (visually) inside the <div>(s). I have tried a partial solution, by using position: absolute; and overflow: hidden;, as follow:

    <html><head><style>div#jail {  position: absolute;  overflow: hidden;  border: 1px dotted red;  height: 200%; width: 50%;  left: 25%; top: 25%;}/* All client's CSS is ensured prefixed with div#jail */div#jail .client_code {  margin: 0;  position: absolute;  top: -8px;  z-index: 1000;}</style></head><body><div id="jail">  <p class="client_code">elements being jailed</p></div></body></html>
    The effect of the codes above is as follow: post-8945-0-48037300-1387554782.png The red dotted line is the "Jail". The purpose is to make any HTML codes with any CSS (prefixed with div#jail) to visually keep inside the box. As shown above, the line of text tried to move out of the box. However, because of overflow: hidden, it is just clipped. So nothing could escape the "Jail". This is good. So far, I have successfully jailed <p> inside div#jail for most kinds of client's HTML elements and CSS, except when user uses position: fixed;.
    div#jail .client_code {  position: fixed;  top: 0px;}
    The following is the screen capture, which the "jail" failed: post-8945-0-66431200-1387554793.png As shown above, if the position: fixed CSS is applied to the jailed elements, the result is that the line of text can be shown outside the box - i call it a breakthrough of the jail. This is not good. So, my question is, how to ensure everything are visually "jailed" inside the box? If position: fixed is the only CSS which can cause this breakthrough, i can just prohibit position: fixed and the Jail would be enforced. If there are any other ideas/design to achieve this, any solutions are welcomed! Thanks a lot!
  9. Can you upload pictures please of your current design and what you want it to look like.

     

    This way I will be able to help you.

     

    Thanks MarkT for willing to help. Here are the screenshots for the design illustration.

     

    post-8945-0-48037300-1387554782_thumb.png

     

    Firstly, the red dotted line is the "Jail". The purpose is to make any HTML codes with any CSS (prefixed with div#jail) to visually keep inside the box. As shown above, the line of text tried to move out of the box. However, because of overflow: hidden, it is just clipped. So nothing could escape the "Jail". This is good.

     

    post-8945-0-66431200-1387554793_thumb.png

     

    Secondly, if the position: fixed CSS is applied to the jailed elements, the result is that it can be shown outside the box - i call it a breakthrough of the jail. This is not good.

     

     

    So, my question is, how to ensure everything are visually "jailed" inside the box? If position: fixed is the only CSS which can cause this breakthrough, i can just prohibit position: fixed and the Jail would be enforced.

  10. I am going to design a webpage, which contains <div>(s) that allow users to submit their (X)HTML with CSS, and being inserted into those <div>(s). I understand it will suffer from XSS seriously, so I will use HTML Purifier to sanitise the (X)HTML and CSS. For instance, I will definitely not allow <script>, <iframe>, and external resources. But I wish to allow almost all other tags and CSS attributes. Here comes the question. I wish to keep client elements (visually) inside the <div>(s). I have tried a partial solution, by using position: absolute; and overflow: hidden;, as follow:

    <html><head><style>div#jail {  position: absolute;  overflow: hidden;  border: 1px dotted red;  height: 200%; width: 50%;  left: 25%; top: 25%;}/* All client's CSS is ensured prefixed with div#jail */div#jail .client_code {  margin: 0;  position: absolute;  top: -8px;  z-index: 1000;}</style></head><body><div id="jail">  <p class="client_code">elements being jailed</p></div></body></html>

    So far, I have successfully jailed <p> inside div#jail for most kinds of client's HTML elements and CSS, except position: fixed;.

    div#jail .client_code {  position: fixed;  top: 0px;}

    So, is it ok to only block position: fixed;, and the jail would be tough and valid? If there are any other ideas/design to achieve this, any solutions are welcomed! Thanks a lot!That is, if users use CSS position: fixed;, their elements could breakthrough the jail:

  11. In my webpage, I am going allow clients (X)HTML. To avoid XSS, I will use HTML Purifier, and disable the <script> tag (and some other dangerous tags).

     

    Yet I would like to enable designers of those (X)HTML to use certain programming-like features, for example displaying a list of items, which would need a for-loop.

     

    Then I came up with the idea that : users submit the XSL code, I provide the XML with the data required by the users.

     

    As HTML Purifier cannot sanitise XSL code (can it?), my proposed flow would be:

    • [*]User submits a piece of XSL code.[*]In the server, there are some sample data (sample XMLs). PHP is used to do the XSL transform with those sample XML data.[*]Pass the output XHTML to HTML Purifier. If HTML Purifier detects any prohibited elements in the code, stop process and show the errors to user.[*]If it passes HTML Purifier, check it against the
    W3C validator. (This is just a double check. Outputs from HTML Purifier should be valid.)[*]Save the piece of XSL code into database. Use (include) it whenever needed.

    Do you think the flow above can assure the final XSL code saved into the database is clean (given that HTML Purifier is perfect)?

     

    Another concern is that, (this is the main question here), is it safe to accept arbitrary XSL codes, and perform XSL transform by PHP in the server? Could there be any security holes that some XSS, injection, etc being included in the XSL codes, such that being harmful to the server or the PHP programs?

     

    Finally, if there are any other ideas/design to achieve this, any solutions are welcomed!

     

     

    Thanks a lot!

  12. First of all, i am particularly focusing on the cross-reference across files feature.

     

    What is it? Simply say, it is like writing Java in Eclipse or Netbeans:

    • When we "dot" a class, a pull down list of member variables show up.
    • When we "ctrl + click" on a usage (of a variable, of a class, of a method, etc), it jumps to the definition of it.

    I particularly see this feature very helpful, especially when our project goes huge. If we don't need the benefits from this feature, why not use the free and quick editor - Notepad++ ?

     

    Many PHP dev tools are equipped with the reference feature. But not many of them can do it across different files. (means in case the definition occurs in a different file of usage.)

     

    While I was finding such a (free) IDE which can do this, I heard people keep saying the Eclipse PDT cannot reference across files. Until today, I give it a try. And surprisingly, Eclipse can do it!

     

    With the following code snippets:

     

    Car.php

    <?phpclass Car {    public function get_type() {        return $this->type;     // reference OK    }    public $type = 'ferrari';}class Engine {    public function running_in() {      // in same file        $car = new Car();               // of course this can ref Car        echo $car->get_type();          // of course this ok too        return $car->type;              // of course this ok as well    }}?>

    Driver.php

    <?php//include 'Car.php';        // works even without include$car = new Car();           // reference OKecho $car->get_type();      // reference OKecho $car->type;            // reference OK?>

    Although this is a good news. Yet I still want to know why people says Eclipse PDT cannot reference across files? Is there any misunderstandings, that I am implementing it wrongly?

     

    Also, as many people say, Eclipse is slow because it is Java based. I am ok with the speed. But I still want a comparison list of features of different Web Dev IDE.

     

    Thanks for any input about Web Dev Tool discussion!

     

    P.S. In addition, JavaScipt list of methods with browser supporting versions (like what Aptana has) would be a very nice feature too!

  13. Thanks very much for your help! I tried using border-bottom to simulate the underline. But it does not really like an ordinary underline - it is a few pixels further away from the text. I would like to use padding-bottom to pull it back. But padding-bottom does not allow negative values. Please have a look.

    <style type="text/css">  a.one { color: #000000; text-decoration: none; }  a.one:hover, a.one:active { text-decoration: underline; }   a.two { color: #000000; text-decoration: none; padding: 0px 4px; }  a.two:hover, a.two:active { border-bottom: 1px solid red; }</style><a class="one" href="#"> w3schools </a><a class="two" href="#">w3schools</a>

    Thanks,midnite

  14. Hi there, I would like to know if there is a nicer CSS approach for the following effect:

    <style type="text/css">  a { color: #000000; text-decoration: none; }  a:hover, a:active { text-decoration: underline; }</style><a href="#"> w3schools </a>

    Using & nbsp; in both sides is a way. But can I use padding, and include a "box" inside the <a> and let the <a> underline the whole "box" with padding? (i tried but this does not work.) The concept is:

    <style type="text/css">  a { color: #000000; text-decoration: none; }  a:hover, a:active { text-decoration: underline; }  div { padding: 0px 2px; }</style><a href="#"><div>w3schools</div></a>

    It underlines only the words, but skipping the paddings :( THANKS very much for any helps or input!midnite

  15. Hi folks, When i did xslt_create(); and i got Fatal error: Call to undefined function xslt_create() in C:\Program Files\EasyPHP-5.3.9\www\index.php on line 7. I just guess the XSLT module is not installed in my EasyPHP by default. I did quite a few googling, but i still cannot find one set of installation steps works. May i ask if any one here has XSLT on EasyPHP and please kindly tell me how you did it. Many many many thanks!!midnite spec:Windows 7EasyPHP 5.3.9

    • Like 1
  16. Hi Synook,Thanks very much for the reply and thanks for reminding me that PHP has an inbuilt timeout. So it is almost impossible to have periodic task on its own. Using cron on Linux is a good idea. A bit off topic. In your opinion, is it that Java seems to be the best choice, compared to C and PHP, if I has to access HTML, analyse DOM, and do it periodically? But outputting webpages from Java is definitely not as handy as PHP does.Best Regards,midnite

  17. Hi there,Is there any way that PHP alone can perform periodic tasks?There are a few solutions, with the help of the third parties:1) using JavaScript setTimeout() or setInterval() on a webpage to periodically request the PHP script. But we have to keep the web browser open. If the browser is closed, everything stops.2) using the OS scheduler, or another language to periodically call that PHP script. This will make the program become less portable. And also, if using another language to call the PHP, why not having the application written in that language.JS runs on web browser. PHP runs on web server. But PHP relies on browser calls to be triggered. My question seems like asking if PHP can escape from browser calls, run on its own on the web server. It is still alright if the PHP script has to be triggered by a browser call. But is it possible to keep the PHP script running after just one browser call (and close the browser)?Thank you very much,midnite

  18. Step 1: open http://www.w3schools.com/js/tryit.asp?filename=tryjs_intro in a new browser.Step 2: copy the following codes into the left text box and press the button "Edit and Click Me >>"* because the code contains a rough testing framework written by me, and it generates a table with highlights. <table> cannot be shown here. This will be the best way to illustrate my quesion =)

    <script>function myClass () {  this.public_var = "i m public";  var private_var = "i m private";  this.public_func = function () {	document.write ("in public function<br>");	document.write ("public_func->private_var (" + private_var + ")<br>");	document.write ("public_func->public_var (" + public_var + ")");  }  this.public_func_this = function () {	document.write ("in public function<br>");	document.write ("public_func->this.private_var (" + this.private_var + ")<br>");	document.write ("public_func->this.public_var (" + this.public_var + ")");  }  var that = this;}var stat_to_try = ['var myObj = new myClass ("sth");','myObj.public_func();','myObj.public_func_this();',]document.write ("<style>td,th{padding:0 5;}.err{color:red;}</style>");document.write ('<table border="1">');document.write ('<tr><th>statments to try<th>results / <span class="err">error</span>');for (var i=0; i<stat_to_try.length; i++) {  document.write ("<tr><td>"+stat_to_try[i]+"<td>");  try { eval (stat_to_try[i]);  } catch (e) { document.write ('<span class="err">'+e+"</span>");  } finally { document.write (" "); }}document.write ("</table>");</script>

    alright, here's the questions:1) Why a public property is not accessible in a public method (public_func) directly? (ReferenceError: public_var is not defined)2) Why after using the "this" keyword, the public property is now can be accessed in a public method?3) Why after using the "this" keyword, the private property is now become "undefined"? (public_func->this.private_var (undefined))Isn't both public and private property can be accessed by a public method, without any problem?Thanks for your help in advance :)

×
×
  • Create New...