Most evil HTML tag?

Please compose all posts in Emacs.

Moderators: phlip, Moderators General, Prelates

Which HTML tag is most evil?

<blink>
46
23%
<marquee>
28
14%
<frame>/<frameset>
24
12%
<center>
1
1%
<iframe>
10
5%
<table>
2
1%
<bgsound>
58
30%
<audio>
0
No votes
<sound>
0
No votes
<object>
1
1%
<applet>
2
1%
<embed>
6
3%
<script>
7
4%
<otter alt="duck">
11
6%
 
Total votes: 196

User avatar
Steax
SecondTalon's Goon Squad
Posts: 3038
Joined: Sat Jan 12, 2008 12:18 pm UTC

Re: Most evil HTML tag?

Postby Steax » Sat Dec 01, 2012 6:26 am UTC

How would pointerlock be abused by advertisers?

Not to mention the fact that it should always ask for user request before locking.
In Minecraft, I use the username Rirez.

User avatar
astrekmaster
Posts: 24
Joined: Sat Nov 26, 2011 8:27 pm UTC
Location: The Earth

Re: Most evil HTML tag?

Postby astrekmaster » Sat Dec 01, 2012 8:29 am UTC

This specification defines an API that provides scripted access to raw mouse movement data while locking the target of mouse events to a single element and removing the cursor from view.

So, theoretically an advertisement could lock you into an element (the ad). When I posted the hyperlink, I guess I didn't look at the webpage.

Here's the source for the quote above: http://dvcs.w3.org/hg/pointerlock/raw-file/default/index.html
I define progress on a computer problem as getting a different error message.

User avatar
Steax
SecondTalon's Goon Squad
Posts: 3038
Joined: Sat Jan 12, 2008 12:18 pm UTC

Re: Most evil HTML tag?

Postby Steax » Sat Dec 01, 2012 9:02 am UTC

I do expect responsible browsers to provide security features on that. Also, theoretically an advertisement can also run a click event on an ad. So it doesn't seem very dangerous over what's currently happening/possible, and the advertisers are expected not to screw around with that (since it kind of totally destroys the user experience in the first place).

That said, I do see some potentially evil purposes, such as making a "phantom" cursor (just an image element set to move around to mimic mouse movements), making people click wrongly on stuff. Or something like that. But as long as the cursor can't actually "click" anything, I don't really see how it could lead to clickjacking or something dangerous...
In Minecraft, I use the username Rirez.

User avatar
Xanthir
My HERO!!!
Posts: 5334
Joined: Tue Feb 20, 2007 12:49 am UTC
Location: The Googleplex
Contact:

Re: Most evil HTML tag?

Postby Xanthir » Sun Dec 02, 2012 9:18 pm UTC

As the spec is written by a coworker, whom I helped on it, I can tell you that your fears are unfounded. The security section of the spec is unfortunately slightly vague, because it's still not certain how much leeway browsers will have in allowing pointer lock, but at minimum it should only be triggered by a user gesture (that is, you can only call pointer lock as part of a click event handler on the element or a parent), and you can always use Escape to get your pointer back. I believe that Chrome at least will allow pointer-lock freely while you're in full-screen mode.
(defun fibs (n &optional (a 1) (b 1)) (take n (unfold '+ a b)))

Pingouin7
Posts: 91
Joined: Thu Oct 27, 2011 4:50 pm UTC
Location: ~/

Re: Most evil HTML tag?

Postby Pingouin7 » Tue Dec 04, 2012 1:30 pm UTC

I thought about answering <iframe> because of the specific iframe that BSoD's any Windows 7 64-bits computer viewing said page through Safari.
But then I remembered that wasn't actually evil, so I voted for <script>.
Last edited by Pingouin7 on Fri Dec 14, 2012 2:54 pm UTC, edited 10 times in total.
Dason wrote:
Kewangji wrote:I confess I am actually scared of peanuts, and tend to avoid them, given how lethal they are to some people.

I'm not. I do my part in the fight against peanuts by destroying them with my powerful teeth. Take that peanut! How does being digested feel!?

wumpus
Posts: 533
Joined: Thu Feb 21, 2008 12:16 am UTC

Re: Most evil HTML tag?

Postby wumpus » Sat Dec 08, 2012 7:43 pm UTC

I used to go with <blink>, but during the snowpocolapse/snowmegeddon/snowoverkill sequence the washingtonpost's weather group linked to a website containing additional important instructions when dealing with these storms. The site consisted of <blink>panic</blink>, plus some additional tags to center and enlarge the font. I am curious if the other evil tags have had "good" uses.

User avatar
tetsujin
Posts: 426
Joined: Thu Nov 15, 2007 8:34 pm UTC
Location: Massachusetts
Contact:

Re: Most evil HTML tag?

Postby tetsujin » Tue Feb 19, 2013 3:12 pm UTC

I'd say the most evil bits are those that nest Javascript within other tags in ways that make the HTML difficult to sanitize.

For instance, the different event-response tag attributes, like onhover... Having more ways to put Javascript code into HTML makes it more difficult to write an HTML sanitizer that can protect you from XSS.
---GEC
I want to create a truly new command-line shell for Unix.
Anybody want to place bets on whether I ever get any code written?

snotrocket
Posts: 0
Joined: Mon Mar 25, 2013 3:13 am UTC
Location: Carmel, IN

Re: Most evil HTML tag?

Postby snotrocket » Mon Mar 25, 2013 3:31 am UTC

I voted blink but bgsound may have been a better choice. Nah, bgsound is definitely more evil. blink is just dumb.


Return to “Religious Wars”

Who is online

Users browsing this forum: No registered users and 4 guests