- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Theoretically speaking, this is not really a solution but more like sweeping the dust under the carpet. Who knows which other corruption their stupid email client will perform, the customer should not get used to Marge's company fixing what the ISP is doing wrong.
More pragmatically, since to the customer it does indeed appear that the problem lies with Marge's password reset tool, I would have first explained where the real error is, and then offer to implement a "ISP compatibility feature" for a very small sum. If the sum is reasonable then everybody is happy and no wrong precedent is established.
Admin
In case Davide hasn't said so already: clbuttic!
Admin
Yeah great… any day now we’ll be reading an article where Marge’s successor complains about inheriting a codebase with a method that helpfully hardcodes the typo in ‘noeTimeToken’. Because fixing the typo itself would’ve just been too easy, right?
Admin
Oh noes!
Admin
thats what happens when you sanitize with a string replace instead of actually parsing the html. also super easy to get around:
window['oxnclick'.replaceAll('x', '')] = () => console.log("pwned")Admin
Due to the all-caps title, I thought this was going to be an error due to No-E-Time-Token.
Admin
Isn't there also a problem if the token itself contains
on? Less likely if the firewall only checks foronat the beginning of a word, and not an issue if the token is a hex number, as is often the case.Admin
OK, this comment might be weird of me, but the other WTF is a German who doesn't speak English. The French arrogantly like to pretend they don't speak English when encountering American tourists, but they all learn English in school. The Germans are the same, but in my experience aren't jerks about it like the French.
Admin
Which is not to say that they are actually good at speaking English, mind you, something that I've been reminded of from time to time during the 16 years that I've lived in France. (I don't speak French perfectly, mind you, but I'm better at French than a substantial fraction of my colleagues are at English.)
Admin
That requires JS escalation to achieve JS escalation.
Admin
I have a friend who was living in Tehran until recently and is now living and working in Germany. (I'm greatly relieved that he and his family are out of Iran given current events.) He doesn't speak a word of German, but he was an English major in college and he's doing fine there. He's working on speech recognition software and calls me on occasion to discuss English accents. When he learned I was working on flight simulators (the big kind on the hydraulics) one of his first questions was to ask if we did the work in python. I thought the question was quaint.
Admin
Thanks for the unwarranted generalization. I'm French, my English is decent, and I've never in my life pretended to be unable to understand English. It's like saying all Americans are stupid. Sure, a lot of Americans are. But I would never generalize to all of them like you did here.
Admin
TBH, the real WTF is not saying to the client "it's your own damn fault, we won't lift a finger to fix it".
Admin
I'd think Argle's generalization kinda reflect their age. Part of the English adoption is mostly a generation gap issue. It's only the newer generations that not only learned English properly in school but also are increasingly seeing usage of it. Go one or two generations older and most french people I know would not know enough English to be proficient to use it, especially in a professional setting.
Refusing to talk to American tourists who obnoxiously expected anyone to know English was the de facto behavior in Paris in the 80s and 90s when I was there, and in this specific case I'd say the issue was often with the tourist behavior first hand.
Admin
Frankly changing oneTimeToken - token would have been the correct solution; since it is one time any new invocation would be fixed.
Assumes you have control of the issuer and consumer I guess.
Admin
You don't think the American tourists who refuse to learn even a few words of the local language are the the arrogant ones?
That doesn't mean anything. The English all learn French at school but very few of us speak it with any degree of proficiency.
I'm English. My French is abysmal but I've never had any problem in France communicating. Either my few words are enough or the French person sees I'm, at least, trying and switches to English.
Admin
The provisional bus stop sign is not from Germany. It's from Northern Italy (Alto Adige/Südtirol), where German is the second language.
Admin
I am not usually one to defend americans of all "people".
But I feel the need to point out that it is most unreasonable to expect anyone to learn a second language for every country they intend to visit as a tourist. As a tourist, you expect to visit a place for a limited amount of time and likely newer return. It is supposed to be a fun, low investment (except maybe cash), fire and forget thing. Being expected to learn a language rather than relying on the universal worldwide lingua franca for communication is just completely unreasonable.
Admin
escalatino
Admin
It's likely the URL was HTTP not HTTPS. An ISP would be unable to view and definitely not modify the urls of HTTPS requests unless the customer modified their OS configuration to allow it (by trusting a root certificate controlled by the ISP allowing them to snoop all HTTPS traffic).
Migration from using HTTPS for just login pages to using it for all webpages was a good thing for many reasons.
Admin
No, if the email is in plain text, the ISP can rewrite the URL all they want. HTTPS only protects the data in transit and that you're connecting to the host in question. If the URL is presented and stored as plain text (as most emails are) then the ISP can easily rewrite the URL to something that's broken.
HTTPS cannot protect against an email saying "https://example.com/blah/blah?onetimetoken=blah" and a modified email by the ISP saying "https://example.com/blah/blah?noetimetoken=blah".
You can get 404's just as easily with HTTPS as you can with HTTP.
Admin
@tom103 ref:
So you have a software vendor who sells software to a bookseller. The bookseller uses the software to sell books to the public. Some members of the public use an ISP that clumsily sanitizes email, breaking the software vendor's workflow.
So who is going to tell who "You fix it!" and make that stick?
Maybe, just maybe, the ISP could be persuaded that this particular glitch they're inducing is the tip of a much larger iceberg of damage they're doing to all their customers' emails from many different sources. And maybe, just maybe, they'd have the professional conscience to consider this important enough to write a smarter sanitizer or to abandon sanitization as a fools' errand. But that's sure not the way to bet.
But even mighty Microsoft admits they can't force other companies to fix stuff to resolve compatibility issues, so they bend over backwards to do it themselves.
Admin
I really hope the irony here was intentional
Admin
I'm with LZ79LRU here. But I'd probably still pretend not to speak English if addressed rudely in English by someone acting like they own the place. Starting a conversation with "Excuse me sir..." is a basic skill that disappointingly few people have.