=============================================================== From: Ryan Bales ------------------------------------------------------ That's awesome. They actually link jquery again too, further down the page, only it's a diff version (1.3.2). One can be sure that vulns abound. ~Ryan Bales
=============================================================== From: Cameron Kilgore ------------------------------------------------------ This seems like a fail from their CMS than it does a legitimate mistake. --Cameron
=============================================================== From: William Wade ------------------------------------------------------ I don't know. How could you develop something and not do a simple view source at some point in time? On Mon, Aug 29, 2011 at 10:02 AM, Cameron Kilgore wrote: the abound.
=============================================================== From: Ryan Bales ------------------------------------------------------ firebug
=============================================================== From: Cameron Kilgore ------------------------------------------------------ Firefox, and by extension, Firebug, does a VERY good job of sanitizing bad HTML. wrote: mistake. wrote:
=============================================================== From: Dan Lyke ------------------------------------------------------ On Mon, 29 Aug 2011 10:12:24 -0400 William Wade wrote: How many people mashing together plugins for $CMS actually understand what they're doing? I think this is why exploits and XSS attacks in WordPress and Joomla plugins are so rife: I turned on the plugin, it did what I wanted, the fact that it could be including JavaScript that's passing my user's credentials off to hackers in Russia never occurred to me. And I know a couple of people whose capabilities with their CMS of choice appear to be limited to plugins, leading to some gawdawful sites. However, apparently they're still making money... Dan
=============================================================== From: Cameron Kilgore ------------------------------------------------------ Watch this be the case with the new City of Chattanooga site. --Cameron
=============================================================== From: Bret McHone ------------------------------------------------------ this makes me think of a despair.com poster about consultants.. "If you're not part of the solution, there's good money to be made in prolonging the problem." -B
=============================================================== From: Aaron welch ------------------------------------------------------ That is awesome... and totally true. When I was at M$, I was forbidden from telling a customer that the M$ product would not work for their issue. The worst part is when it blew up during testing, I was the one blamed for the problems. It sucks, but you live and learn. -AW
=============================================================== From: Cameron Kilgore ------------------------------------------------------ http://despair.com/consulting.html I'm so buying this on a coffee mug. --Cameron
=============================================================== From: Bret McHone ------------------------------------------------------ that one and the "consistency is only a virtue if you're not a screwup" are my favorites.
=============================================================== From: Mike Harrison ------------------------------------------------------ Having recently dipped my toes in both Joomla and Drupal. The complexity and layers involved for a typical 5 to 100 page website are atrocious. The things people with with jQuery and other JavaScript obfuscators are insane. I remember complaining about having a 50k byte single IMAGE on a single page was sinful waste of bandwidth and resources. Yeah.. Get off my lawn. -- I am only online today (at slow... slow.. speeds) thanks to the quick easy install of: "polipo", a small caching web proxy and a bizarre relay of SSH and other tricks. "polipo" is a new favorite trick. The ascii config file was easy to edit.. and it seems to "just work", even let me get to a webmail interface for gmail. :) apt-get install polipo - Poof. ;)
=============================================================== From: Sean Brewer ------------------------------------------------------ That problem still exists, except instead of 50k, it's 1MB+. I've seen stuff like photographers with Wordpress sites load 15mb images of their photos resized with HTML and think that was totally OK.
=============================================================== From: Cameron Kilgore ------------------------------------------------------ I'd love to see some examples of that. WP does a good job of autocrop/resizing thumbnails. stuff wrote:
=============================================================== From: Sean Brewer ------------------------------------------------------ If you know what you're doing, yes. The last case I experienced was I guy I knew and I told him about the problem. It's been fixed since then.
=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Laugh, because it's not my job to fix that mess... http://validator.w3.org/check?verbose=1&uri=http%3A%2F%2Fwww.usda.gov%2Fwps%2Fportal%2Fusda%2Fusdahome Only 136 errors and 106 warnings for HTML only http://jigsaw.w3.org/css-validator/validator?profile=css21&warning=0&uri=http%3A%2F%2Fwww.usda.gov%2Fwps%2Fportal%2Fusda%2Fusdahome CSS is slightly better at only 34 errors... Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5b+EIACgkQABP1RO+tr2RHXQCeM+/948I0p5TF0g/64v1BPuAn uysAniMuzLCcL08NdT1F6Uvn89CU2cVr =U6Wx -----END PGP SIGNATURE-----
=============================================================== From: Ryan Bales ------------------------------------------------------ And that's just static validation. As OP pointed out, there are some serious redundancies at play here, and who knows how much (read: data) whitespace being communicated across the wire. ~Ryan Bales
=============================================================== From: Ryan Bales ------------------------------------------------------ btw, just saw this on the validation report, and thought it was particularly hilarious: ~Ryan Bales
=============================================================== From: James Nylen ------------------------------------------------------ Dude I was so height when I made that website
=============================================================== From: Ryan Bales ------------------------------------------------------ lmao, at least it wasn't "heighth", I guess ~Ryan Bales
=============================================================== From: Cameron Kilgore ------------------------------------------------------ I am getting this printed on a shirt. --Cameron
=============================================================== From: Chad Smith ------------------------------------------------------ You can get multiple heads and bodies when you do includes. It's very possible it's not just one file. - Chad W Smith "I like a man who's middle name is W." - President George W. Bush - February 10, 2003 bit.ly/gwb-dubya
=============================================================== From: James Nylen ------------------------------------------------------ But you shouldn't.
=============================================================== From: Chad Smith ------------------------------------------------------ possibly using an HTML editor that adds it in automagically, and doesn't bother removing it. It's a sign of laziness, or some would say efficiency - not necessarily poor programming skills. - Chad W Smith "I like a man who's middle name is W." - President George W. Bush - February 10, 2003 bit.ly/gwb-dubya
=============================================================== From: James Nylen ------------------------------------------------------ No, it's a sign of not knowing what the hell you're doing, and therefore poor HTML skills. Just because a browser will handle your crappy HTML doesn't mean that you should subject the world to it.
=============================================================== From: Cameron Kilgore ------------------------------------------------------ Screen readers are far less forgiving than web browsers. And this is a sign of poor programming skills -- I can understand some errors in validation from auto-generated content from CMSes, but if i'm seeing TWO tags...either you're so height you're in space, or you fucked up your CMS something fierce. And i'll put you to the fire for it. --Cameron
=============================================================== From: William Wade ------------------------------------------------------ I believe it is Oracle CMS in the backend. Also as a federal site they are required to have a certain level of accessibility. They have some ARIA stuff in there, but I doubt they actually tested it. Not to mention navigating it with a screen reader and all those (ne(s())(t(e))d) tables must be awful. On Tue, Aug 30, 2011 at 1:33 PM, Cameron Kilgore w= rote: up TML t e: are ead: data) .usda.gov%2Fwps%2Fportal%2Fusda%2Fusdahome ning=3D0&uri=3Dhttp%3A%2F%2Fwww.usda.gov%2Fwps%2Fportal%2Fusda%2Fusdahome