Back to the High Programmer's Blog

Back to the article

psilord at 19:13 Aug 25, 2005

Hey Alan, if I ever click "remember me" on the page, it should always be checked when I come back to post something to signify it remembered me. If I uncheck it, then it should forget about me.

Kathleen at 19:13 Aug 25, 2005

Mozilla has both pop-up blocker, an indicator in the bottom bar that a pop-up has been blocked, and the option for Adblock as well. I'm not saying that Firefox isn't the bomb, but why should I switch from Moz?

Alan De Smet at 19:13 Aug 25, 2005

Compared to Moz, Firefox is only incrementally better. Unsurprising, since they both share the same core. Still, I was a Mozilla user for many years and changed to Firefox yesterday. I think it's worth the effort. All in all I viewed it as the next version of Mozilla. Really, my front page plea was more to people using Internet Explorer, who really deserve much, much better.

Stuff I'm liking:

- Alerts you when there are updates to Firefox itself or any extensions you've installed. It can automatically install an updated extension. The alert is a discrete little marker in your menu bar.

- Faster startup.

- The interface feels "cleaner". Mozilla is a giant beast with piles of options. Firefox does a good job of eliminating the unnecessary junk and reorganizing what remained.

Stuff I'm not sold on yet, but seem cool:

- "Live bookmarks". Your bookmark folder can actually be a live feed from another site. For example, you can have a bookmark folder that always contains the last 10 stories from the BBC or the New York Times. Not so useful to someone using a full blown RSS Aggragator like Sage (which is a Firefox extension ( or Bloglines (

Alan's recommended extensions:

- Link Toolbar provides handy buttons for following "Next Page", "Previous Page", "Up", "Index" and the like links. It's a quick and handy way to move through multipage documents. Mozilla has this functionality built in, but you need an extension with Firefox. Instead of taking a whole new toolbar, Link Toolbar places itself in the status bar.

- Adblock will reduce the amount of crap you're seeing.

- Web Developer Extension is the power user's toy. It includes way more functionality than a typical web browser needs. If you do web design or just like having lots of unnecessary control over web pages, it's cool.

Joe at 19:13 Aug 25, 2005

Putting the link toolbar in the status bar seems like a good idea. I hate it when I go to a site that uses it and it pops the whole page down, and I don't really like having the link toolbar up all the time either.

I'm not sure how many people use this feature though. I have it up for PJ, but not my other comics. The only users I'm sure use it are web robots.

I use Moz at home and Firefox at work. I haven't updated Moz recently, but Firefox 1.0's usability trumps whatever version of Moz I have.

Kathleen at 19:13 Aug 25, 2005

Is Firefox stable? I know that was a concern a while ago. I guess if it's at 1.0, it must be...

psilord at 19:13 Aug 25, 2005

After using it for a few days, I must say that it is very fast. I like that very much. It just seems so much cleaner too.

Joe at 19:13 Aug 25, 2005

Something Firefox still lacks is a "block flash objects from this address" when I right-click on a flash advertisement. I can block the less-obtrusive ad banners, but not flash? Flash ads are evil and I hate them

And yes I could uninstall flash, but I loves me the video games!

Alan De Smet at 19:13 Aug 25, 2005

Re: Flash blocking

Two options:

Adblock will happily purge Flash ads.

Another option is to us Flashblock. It replaces all Flash objects with a logo. Click the logo to load the flash. The extension is here: or you can use the original:

Alan De Smet at 19:13 Aug 25, 2005

This is a test message.

If it works, I've added some additional tags and functionality.

My home page

psilord at 19:13 Aug 25, 2005

How about you add some articles.... *grin*

Kathleen at 19:13 Aug 25, 2005

I second that motion.

Ben at 19:13 Aug 25, 2005

Yeah. I've wasted an awful lot of time typing 'www.hig<down arrow><enter>' and not getting new Alanwackiness. This saddens me. And I find the new comments here distinctly underwhelming. Though, as you've said

Alan wrote:

If it works, I've added some additional tags and functionality.

Hm. That was surprisingly satisfying. Also reasonably tamper-resistant.

But not perfect.

Alan De Smet at 19:13 Aug 25, 2005

Ooof, good catch Ben. Thanks. I'll have to beat that into submission. Upon reflection I believe QUOTE to be reasonably safe, but the URL needs serious contemplation. Probably the easiest option is to forbid quotation marks in URLs.

As for all the people wanting content: I'll see what I can do. I've got a backlog of stuff, but it's hard to find the time to polish it enough. I'm trying very hard to only post the sort of thing I enjoy reading on random blogs. (See my blog roll for examples.)

For those who (for some bizarre reason) want more stuff from me, try my LiveJournal feed. (Table-folk will likely be bored, as it's basically the stupid links I post to table.)

I also recommend using an RSS aggragator (Bloglines rocks). It's a much easier way to track blogs, including those that only post very irregularlly.

Mario Carbonell at 19:13 Aug 25, 2005

Wow!! Great Website!! I'm a programmer too, but very bad designing websites! Very beautiful

Michael at 19:13 Aug 25, 2005

That is an uglily good catch Ben. :)

Alan, php has a $strip_tags function built into it. I used the following to elaborate this out into a decent functionality (borrowing heavily from php_manual commenters, of course) :

$allowedTags = '<b><i><a><li><strong><em><pre><blockquote>';

$stripAttrib = 'javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|'. 'onmousemove|onmouseout|onkeypress|onkeydown|onkeyup';

function removeEvilAttributes($tagSource) { global $stripAttrib; return stripslashes(preg_replace("/$stripAttrib/i", 'forbidden', $tagSource)); }

function removeEvilTags($source) { global $allowedTags; $source = strip_tags($source, $allowedTags); return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source); }

Ben at 19:13 Aug 25, 2005


The file Not Perfect links to is the [URL] tag I used to create it. Let me know when you no longer need that.


I don't know PHP, but it looks as if your code, while probably useful, doesn't fix what I did. I could be wrong, of course. Check out the NP link if you're curious what exactly is broken.

Alan again:

Once you've fixed the tag processing, feel free to get rid of the not perfect and/or turn it into text-only.

Alan a third time:

I gently poked QUOTE and it played nice. Trying to add HTML failed because you're turning < into <, but URL let me get inside a tag that already existed. I don't think I could abuse it to insert any more tags, but I could probably turn Anchor into a block-level element and get a picture into it as a background, with the appropriate height and width tags. Also javascript mouse events as Michael noted, &c.

The other tags seem safe. I tried (ab)using QUOTE with HTML comments to insert text into the body of the <strong> tag, but no dice. The other tags don't seem particularly promising as attack vectors.

Alan De Smet at 19:13 Aug 25, 2005

The URL loophole Ben found has been beaten into a pulp.

Post Message

Your name:
The word "human": (To fight comment spam you must enter the word "human" in this box.)
Your web site: (optional)
Your email address: (optional)
(Your email address is not displayed to others nor stored. It is only used to display a Gravatar Avatar.)

Supported tags: [B]Bold text[/B]   [I]Italic text[/I]   [TT]Typewriter font[/TT]   [CODE]Preformatted text[/CODE]   [QUOTE]Block quote[/QUOTE]   [QUOTE="Original Author"]Block quote[/QUOTE]   [URL=""]Example Corporation[/URL]