| Pages in topic: < [1 2 3] > | Changes made to the way javascript is handled in ProZ.com profiles Thread poster: Jason Grimes
|
|---|
| Explanation to Uldis | Aug 7, 2009 |
Uldis Liepkalns wrote:
Thank you for your efforts, however I fail to see what security improvements are brought about...
Javascript can contain harmful content. The idea is that a viewer should be given an opportunity to accept it or not.
| | | | | The support staff can help walk people through this | Aug 8, 2009 |
Nancy Lynn Bogar wrote:
(and I could swear I just posted this but it's disappeared, so I'm trying again.)
Because I don't know the first thing about this I clicked on my profile, got the message and clicked on No to see what that would give, and the answer is a blank box under About Me. And now it seems that choice is sticky, because clicking again in another page on my profile gives me the blank About Me section again. Am I alone? I mean, I'm a long-avowed techno-bimbo, but I can't be alone, can I?
Nancy
Hi Nancy,
I can help you! For others in this position, please enter a support ticket so that we can assist you with this transition.
Henry
| | | | Uldis Liepkalns 
Latvia
Local time: 00:43
Member (2003)
English to Latvian
+ ...
Yes, Javascript can contain viruses. However, that's what antivirus programs are invented for and take their fair share in the IT market. But, what Javascript has to do with illegal information harvesting? From my Javasripts the client can obtain such a crucial info as Latvian local time and my and his location (first of it already is shown in my profile).
Uldis
Henry D wrote: Uldis Liepkalns wrote:
Thank you for your efforts, however I fail to see what security improvements are brought about... Javascript can contain harmful content. The idea is that a viewer should be given an opportunity to accept it or not.
[Rediģēts plkst. 2009-08-08 00:26 GMT]
| | | | Uldis Liepkalns
Latvia
Local time: 00:43
Member (2003)
English to Latvian
+ ...
| About "harmful contents" | Aug 8, 2009 |
Henry D wrote:
Javascript can contain harmful content.
There are a few corporate solutions available for fighting harmful contents on a corporate level. Price/quality wise I'd advise Kaspersky, however other people prefer Symantec or McAfee.
The choice, sure, is not for me to make, however, as my company daily translates about 5-10 pages for one of major antivirus providers (and I usually read the materials), I can assure you- any malware, spyware, viruses and other newly invented harmful categories of harmful programs are not a problem for a site size of ProZ, if you employ appropriate corporative protection tools (yes, costing a fortune for a small company, but the expenses will be just a sneeze for a company of ProZ size).
I use Kaspersky since 1997 (transfered to it then, as McAfee couldn't cope with Chernobyl virus I got, but Kaspersky could) and since have not had a single virus incident.
Uldis
[Rediģēts plkst. 2009-08-08 00:53 GMT]
| | |
|
|
|
| Nancy, fixed your profile display. How to toggle display of dynamic content | Aug 8, 2009 |
Nancy Lynn Bogar wrote:
Because I don't know the first thing about this I clicked on my profile, got the message and clicked on No to see what that would give, and the answer is a blank box under About Me. And now it seems that choice is sticky, because clicking again in another page on my profile gives me the blank About Me section again.
Hi Nancy,
There was some broken HTML in your "about me" section which I've cleaned up. Please let me know if it still doesn't look right. (There also seems to be a broken image link but I left that there in case you want to correct the URL.)
Regarding the "sticky" choice of whether to view dynamic content, here's some info from the FAQ:
The first time you view the profile you'll be prompted whether to enable the dynamic content. Your preference will be stored in a "cookie" in your web browser, so you won't be prompted again when viewing that member's profile in that browser. If you later wish to change your preference, and enable or disable the content, click the "settings" link in the dynamic content notice at the upper right of the page.
I hope this helps. If anyone else finds that their profile doesn't display correctly, please submit a support ticket for assistance.
Thanks,
Jason
| | | | | You misundertand, Uldis | Aug 8, 2009 |
Uldis Liepkalns wrote:
I use Kaspersky since 1997 (transfered to it then, as McAfee couldn't cope with Chernobyl virus I got, but Kaspersky could) and since have not had a single virus incident.
You misunderstand. The threat here is not a virus, but I'll spare the details for reasons you may understand. What we are implementing here is a standard security measure. It was inappropriate for dynamic content to have been allowed with so few restrictions to date.
| | | | Özden Arıkan
Germany
Local time: 23:43
Member
English to Turkish
+ ...
| I still don't understand | Aug 8, 2009 |
I mean I must be missing some crucial point along the way here:
-javascript makes profile data vulnerable to attack
-visitor of a profile will either turn java on or off, doesn't matter from the viewpoint of security
-attacker will certainly know to turn it on
-so what follows logically, from the viewpoint of security again, is that javascript should be completely disabled, giving people sufficient time to re-arrange their profiles. How will making it optional impr... See more I mean I must be missing some crucial point along the way here:
-javascript makes profile data vulnerable to attack
-visitor of a profile will either turn java on or off, doesn't matter from the viewpoint of security
-attacker will certainly know to turn it on
-so what follows logically, from the viewpoint of security again, is that javascript should be completely disabled, giving people sufficient time to re-arrange their profiles. How will making it optional improve security? I mean, if you leave your key under the doormat and put a note on the door announcing this, only two people will use it: the intended house mate and the thief. The postman will still ring twice
Or, I completely misunderstand the whole thing. In that case, please bear with me and explain. Thanks! ▲ Collapse
| | | | | Part of an overall change to javascript policy | Aug 8, 2009 |
Hi Özden,
Özden Arıkan wrote:
I mean I must be missing some crucial point along the way here:
-javascript makes profile data vulnerable to attack
...
This is not precisely true. The change to the way javascript is handled in your profile is not directly about making your profile more secure.
Rather, changes in the way javascript is handled all over the site are about making the overall site more secure. This change just happens to be most noticeable in profiles, where javascript has been allowed indiscriminately in the past. Now javascript is allowed only in much more limited circumstances: in the profiles of ProZ.com members, when the viewer has given consent to run it.
I hope this helps clarify.
Best,
Jason
| | |
|
|
|
NancyLynn
Canada
Local time: 17:43
Member (2002)
French to English
+ ...
MODERATOR
Good morning!
Jason Grimes wrote:
Hi Nancy,
There was some broken HTML in your "about me" section which I've cleaned up. Please let me know if it still doesn't look right. (There also seems to be a broken image link but I left that there in case you want to correct the URL.)
That image was the cover of the book in question - I'm not sure how to fix that.
Regarding the "sticky" choice of whether to view dynamic content, here's some info from the FAQ: The first time you view the profile you'll be prompted whether to enable the dynamic content. Your preference will be stored in a "cookie" in your web browser, so you won't be prompted again when viewing that member's profile in that browser. If you later wish to change your preference, and enable or disable the content, click the "settings" link in the dynamic content notice at the upper right of the page. I hope this helps. If anyone else finds that their profile doesn't display correctly, please submit a support ticket for assistance. Thanks, Jason
I'll go ahead and do that. Thanks!
Nancy
| | | | | Enabled some CSS support | Aug 8, 2009 |
Andreas Nieckele wrote:
I invested a lot of time modifying my profile page with custom CSS and an iframe. I noticed that both of them stopped working around the same time that you announced this measure. The CSS is not working even if I try to include it directly in the page, inside of < style> tags.
I can understand that iframes MAY pose a security risk, but why not allow custom CSS? I cannot imagine possible security risks derived from changing some colors or font sizes.
I can easily live without the iframe, but we need to be able to style the html content on our profiles. Please say the custom CSS can stay.
Hi Andreas,
Support for some CSS has been enabled. External stylesheets still aren't supported, but if you include the CSS inside a <style> tag in your profile it should work. Please let me know how this works out for you.
Thanks,
Jason
| | | | Vito Smolej
Germany
Local time: 23:43
Member (2004)
English to Slovenian
+ ...
SITE LOCALIZER
Henry D wrote:
... What we are implementing here is a standard security measure. It was inappropriate for dynamic content to have been allowed with so few restrictions to date...
Much appreciated, Jason, Henry, everybody out there (or should I say in here g)
The threats that started to materialize (so far once, afaik) must be an horror for everybody involved in running the site. Add the bitching and moaning chorus, oh well, it's not a horror any more, it is a force 10 nightmare.
A bright point in this dark hour (just joking): it all just shows, how much capital (human, social, good-will) ProZ has collected since its beginnings. Put simpler, it just shows, what ProZ is worth.
Regards
Vito
| | | | | Thank you, Vito! | Aug 9, 2009 |
VitoSmolej wrote:
Much appreciated, Jason, Henry, everybody out there (or should I say in here g)
The threats that started to materialize (so far once, afaik) must be an horror for everybody involved in running the site. Add the bitching and moaning chorus, oh well, it's not a horror any more, it is a force 10 nightmare.
A bright point in this dark hour (just joking): it all just shows, how much capital (human, social, good-will) ProZ has collected since its beginnings. Put simpler, it just shows, what ProZ is worth.
Thank you for this kind post. To receive so much support from members like you at a time like this is very encouraging.
| | |
|
|
|
| what about non platinum members? | Aug 9, 2009 |
I'm a "user", not a platinum member and I had a javascript visitor counter on my profile. Yesterday I got the email notifying that any javascript was removed form the profiles, and that it was possible to use Proz's visitor counter instead, as a valid alternative. So I clicked on the link provided (the FAQ link) and what did I see? That the Proz visitor counter was only available to platinum members. What about non platinum members? I understand the reasons for having blocked any javascript-ba... See more I'm a "user", not a platinum member and I had a javascript visitor counter on my profile. Yesterday I got the email notifying that any javascript was removed form the profiles, and that it was possible to use Proz's visitor counter instead, as a valid alternative. So I clicked on the link provided (the FAQ link) and what did I see? That the Proz visitor counter was only available to platinum members. What about non platinum members? I understand the reasons for having blocked any javascript-based visitor counter, but please give everybody the option to have a profile counter, not only to platinum members.
Thanks
Liliana ▲ Collapse
| | | | | Some feedback, maybe useless, maybe not | Aug 9, 2009 |
This is not criticism, just info that may be useful in alternative debugging.
Long ago there was Netscape 7.2, IMHO the most stable browser in its time ever. MISExplorer then was (and maybe still is) some kind of a 'virus magnet'. Believe it or not, I still use it as my default browser and e-mail application.
Of course, technology won't stop evolving, hence Netscape 7.2 no longer can handle state of the art sites, including the new one I'm developing for myself.
<... See more This is not criticism, just info that may be useful in alternative debugging.
Long ago there was Netscape 7.2, IMHO the most stable browser in its time ever. MISExplorer then was (and maybe still is) some kind of a 'virus magnet'. Believe it or not, I still use it as my default browser and e-mail application.
Of course, technology won't stop evolving, hence Netscape 7.2 no longer can handle state of the art sites, including the new one I'm developing for myself.
My elder son is a top-flight IT pro and, in those early Netscape 7.2 days he told me that any site that ran only on MSIExplorer implied a lazy programmer, and that these sites would not run either on the less popular browsers like Opera et al.
A few weeks ago Proz had some programming changes whereby mouse-overing on the menu bar (Home, Kudoz, Jobs, Directories, etc.) would cause it to shift to the right, requiring a right scroll, but everything in it would work normally.
More recently, a few days ago, Netscape 7.2 stopped showing several things on the screen, it can't be used any more. So less-stable Firefox is the answer. In terms of functional stability, its latest version is still far behind Netscape 7.2 (more stable than Netscape 8), but that's where evolution is taking us.
Amazingly, the Brazilian institution where I have been doing my banking for ages, http://www.itau.com.br was ranked by the IMF as the #1 best banking IT system in the whole world and, from a client's standpoint, it's really good. Yet, it still runs flawlessly on Netscape 7.2 or any other browser you can name. So it's not a matter of Netscape 7.2 being obsolete, it can still cope with the most advanced technology and security concoctions.
Jason, this is not in any way a request to make Proz compatible with Netscape 7.2, but a tip. If you ever face some tough debugging, situations that you are unable to replicate for troubleshooting, try browsing that page with Netscape 7.2. Anything that can go wrong there certainly will! ▲ Collapse
| | | | | CSS still broken | Aug 10, 2009 |
Jason Grimes wrote:
Hi Andreas,
Support for some CSS has been enabled. External stylesheets still aren't supported, but if you include the CSS inside a < style> tag in your profile it should work. Please let me know how this works out for you.
Thanks,
Jason
Thanks for your valuable support Jason. However, the CSS support is still not fixed by a long shot.
Please see the image below:
As you can see, for some reason all the style definitions are not being correctly loaded by the page. I performed a small test first, just to change the color of some words and it was working fine, but when I tried to paste the whole HTML + CSS code from what the finished page is supposed to look like, all hell broke loose.
One other thing I noticed is that ID selectors are not supported. If I write, for example, < div id="test"> on the profile updater, when I load the page and look at the source code, it will be just < div>. The "id" section is being stripped out. This does not happen with classes, classes are working fine. And IDs are needed for some javascript effects.
I would appreciate if you guys could get all of this fixed as soon as possible. Our profile pages are arguably the most valuable reason to invest on our memberships (which I just happened to renew), and as it stands right now I can't have my profile to look the way I want to: an exact replica of my website, just like it was until Friday.
Thanks
EDIT: I just noticed that links with target="_blank" are also not working correctly (the "target" section is also being stripped out). I don't know which of these problems are just bugs and which are intended to be like this, but if some of these errors I noticed are meant to be like this, it would be nice to have some sort of guide to know what is supported and what is NOT supported, because how are you going to know which features are supported and which are not?
[Edited at 2009-08-10 13:31 GMT]
| | | | | Pages in topic: < [1 2 3] > | To report site rules violations or get help, contact a site moderator: You can also contact site staff by submitting a support request » Changes made to the way javascript is handled in ProZ.com profiles | CafeTran Espresso | You've never met a CAT tool this clever!
Translate faster & easier, using a sophisticated CAT tool built by a translator / developer.
Accept jobs from clients who use Trados, MemoQ, Wordfast & major CAT tools.
Download and start using CafeTran Espresso -- for free
Buy now! » |
| | Wordfast Pro | Translation Memory Software for Any Platform
Exclusive discount for ProZ.com users!
Save over 13% when purchasing Wordfast Pro through ProZ.com. Wordfast is the world's #1 provider of platform-independent Translation Memory software. Consistently ranked the most user-friendly and highest value
Buy now! » |
|
| | | | X Sign in to your ProZ.com account... | | | | | |
Login to reply/comment 
