{"id":224,"date":"2010-08-04T19:27:35","date_gmt":"2010-08-04T08:27:35","guid":{"rendered":"http:\/\/xhva.net\/log\/?p=224"},"modified":"2010-08-04T19:27:35","modified_gmt":"2010-08-04T08:27:35","slug":"testing-form-submission-locally-in-ie-an-interesting-bugfeature","status":"publish","type":"post","link":"https:\/\/xhva.net\/log\/2010\/08\/testing-form-submission-locally-in-ie-an-interesting-bugfeature\/","title":{"rendered":"Testing form submission locally in IE: an interesting bug\/feature"},"content":{"rendered":"

A friend sent me a chunk of code with an inter\u00adest\u00ading bug: on one par\u00adtic\u00adu\u00adlar PHP script, IE would\u00adn\u2019t sub\u00admit the form. Every oth\u00ader brows\u00ader would. The first fix was rea\u00adson\u00adable, the sec\u00adond bizarre.<\/p>\n

For the first fix, the offend\u00ading lines of code looked like:<\/p>\n

<\/code><\/p>\n

\n   echo \"<div class=\\\"form\\\"\";   \n   echo \"<form action=\\\"index.php\\\" method=\\\"POST\\\">\";\n<\/pre>\n
<\/p>\n
See it? The end of the first line does\u00adn\u2019t include a > to com\u00adplete the <div> tag. The result in IE\u2019s DOM:<\/p>\n
<\/code><\/p>\n
\n   <div class=\"form\" method=\"POST\" action=\"PRMT_process.php\" <form=\"\">\n<\/pre>\n
<\/p>\n
The lack of a > caused the <form>\u2018s attrib\u00adut\u00ades to be con\u00adsumed by the pre\u00advi\u00adous <div>. Not sure how we end up with an attribute called \u2018<form\u2019 at the end, but it could be a quirk of IE\u2019s pars\u00ader stack that will\u00ading\u00adly con\u00adsumes garbage char\u00adac\u00adters and coerces them into attrib\u00adut\u00ades. Nasty. This meant there was\u00adn\u2019t a <form> tag open so the sub\u00admit but\u00adton had noth\u00ading to do.<\/p>\n
But that did\u00adn\u2019t fix it. I ripped out the con\u00adtents of the form and test\u00aded; no. Ripped out the code before the form includ\u00ading the boil\u00ader\u00adplate; no (inci\u00adden\u00adtal\u00adly, if a <form> is the first tag in the code \u2014 eg. no <body> \u2014 then the <form> is dropped on the floor by the pars\u00ader). Even\u00adtu\u00adal\u00adly I end\u00aded up with this testcase:<\/p>\n
<\/code><\/p>\n
\n   <body>\n      <form action=\"index.php\" method=\"post\">\n         <input type=\"submit\">\n      <\/form>\n   <\/body>\n<\/pre>\n
<\/p>\n
Now at this point I was very, very con\u00adfused. Dumb\u00adfound\u00aded. Espe\u00adcial\u00adly since I\u2019d looked at the file in hex-view to make sure strange Uni\u00adcode char\u00adac\u00adters had\u00adn\u2019t invad\u00aded then checked the encod\u00ading and BOM. I re-typed each line. Still did\u00adn\u2019t work.<\/p>\n
I typed the con\u00adtents out in a sep\u00ada\u00adrate file and copy\/pasted over the top of the bro\u00adken one; still did\u00adn\u2019t work.<\/p>\n
I copied the orig\u00adi\u00adnal file and opened the copy; still did\u00adn\u2019t work. I vis\u00adit\u00aded \u2018witch\u00adcraft\u2019 on Wikipedia and researched human sac\u00adri\u00adfice, per\u00adformed a sacred rite involv\u00ading goats, 13-point stars and heavy breath\u00ading to the East; still did\u00adn\u2019t work.<\/p>\n
I opened the prop\u00ader\u00adties dia\u00adlog for the file on a whim:<\/p>\n
\"Windows<\/a><\/p>\n
Were you aware that Win\u00addows auto\u00admat\u00adi\u00adcal\u00adly adds pro\u00adtec\u00adtion to a file that was trans\u00adferred from anoth\u00ader PC, even if it was orig\u00adi\u00adnal\u00adly a .txt file? I cer\u00adtain\u00adly did\u00adn\u2019t know it would dis\u00adable form sub\u00admis\u00adsion should the file be com\u00adplete\u00adly renamed and opened in one par\u00adtic\u00adu\u00adlar brows\u00ader. Inter\u00adest\u00ading. What kind of weird-arse check is being per\u00adformed deep inside IE to do this? Is this relat\u00aded to why local AJAX does\u00adn\u2019t work?<\/p>\n
I do see the point of this; Unknow\u00ading User #523 is sent a file and told to rename and open it in IE to receive a free pay\u00adment of five mil\u00adlion Niger\u00adian pan\u00addas or some\u00adthing, and JS auto-sub\u00admits a form con\u00adtain\u00ading infor\u00adma\u00adtion from their machine. But what\u2019s the dif\u00adfer\u00adence between this file being on a web\u00adsite or run\u00adning local\u00adly? JS should\u00adn\u2019t have high\u00ader priv\u00adi\u00adleges, and there\u2019s no local-file access apart from <input type=\u2018file\u2019>, and a file con\u00adtrol\u2019s val\u00adue can\u2019t be set in HTML or JS auto\u00admat\u00adi\u00adcal\u00adly. Is this a pro\u00adtec\u00adtion against secu\u00adri\u00adty bugs in the brows\u00ader that the shell team devel\u00adoped, which then required obscure changes to IE\u2019s code\u00adbase any\u00adway? Urgh.<\/p>\n
Long sto\u00adry short: if your oper\u00adat\u00ading sys\u00adtem is doing funky, hid\u00adden stuff to files that make them break in com\u00adplete\u00adly unre\u00adlat\u00aded sit\u00adu\u00ada\u00adtions, show a bloody mes\u00adsage some\u00adwhere. IE6 gave us the yel\u00adlow bar when JS was dis\u00adabled for local files \u2014 ter\u00adri\u00adbly annoy\u00ading and arguably point\u00adless, but at least it was a mes\u00adsage. This is just arcane.<\/p>\n","protected":false},"excerpt":{"rendered":"
A friend sent me a chunk of code with an inter\u00adest\u00ading bug: on one par\u00adtic\u00adu\u00adlar PHP script, IE would\u00adn\u2019t sub\u00admit the form. Every oth\u00ader brows\u00ader would. The first fix was rea\u00adson\u00adable, the sec\u00adond bizarre. For the first fix, the offend\u00ading lines of code looked like: echo \u201c<div class=\\\u201cform\\\u201d\u201d; echo \u201c<form action=\\\u201cindex.php\\\u201d method=\\\u201cPOST\\\u201d>\u201d; See it? The [\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"ngg_post_thumbnail":0},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/xhva.net\/log\/wp-json\/wp\/v2\/posts\/224"}],"collection":[{"href":"https:\/\/xhva.net\/log\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xhva.net\/log\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xhva.net\/log\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/xhva.net\/log\/wp-json\/wp\/v2\/comments?post=224"}],"version-history":[{"count":5,"href":"https:\/\/xhva.net\/log\/wp-json\/wp\/v2\/posts\/224\/revisions"}],"predecessor-version":[{"id":230,"href":"https:\/\/xhva.net\/log\/wp-json\/wp\/v2\/posts\/224\/revisions\/230"}],"wp:attachment":[{"href":"https:\/\/xhva.net\/log\/wp-json\/wp\/v2\/media?parent=224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xhva.net\/log\/wp-json\/wp\/v2\/categories?post=224"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xhva.net\/log\/wp-json\/wp\/v2\/tags?post=224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}