Does <Code> feature not work?

  • Thread starter Thread starter DaveC426913
  • Start date Start date
  • Tags Tags
    Code Error
AI Thread Summary
The discussion centers around issues with posting code using CODE tags, particularly with HTML and script elements, which trigger errors when users attempt to save their posts. Users note that while HTML fails to post correctly, LaTeX code seems to work without issues, leading to confusion about the functionality of the CODE feature. It is suggested that the problem may stem from security measures implemented by Cloudflare to prevent script injections, which complicates the posting of certain code snippets. Participants express frustration that the CODE feature does not fulfill its intended purpose, as it restricts users from sharing code effectively. Overall, the consensus is that the current system is flawed and requires adjustments to allow for proper code sharing.
DaveC426913
Gold Member
Messages
23,830
Reaction score
7,815
I cannot post code with the CODE tags.
Here is a screen grab of the code I tried to post, and the error it thorws when I try to save it.
1738984058549.png


1738983772916.png



I am going to start small and see where it breaks.

It chokes on any script line.

[CODE lang="html" title="Title"]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>My first three.js app</title>
<style>
body { margin: 0; }
</style>

</head>
<body>
</body>
</html>

[/CODE]
 
Last edited:
Physics news on Phys.org
Works fine for me: HTML, XML, general code. Edit, preview, and all. I just have to forget the idea of posting it. Then I receive an oops, too.
 
Code:
\documentclass[12pt,a4paper]{article}
%\usepackage[latin1]{inputenc}
\usepackage[utf8]{inputenc}
\usepackage{amsmath}
\usepackage{amsfonts}
\usepackage{amssymb}
\usepackage{graphicx}
\usepackage{stmaryrd}
\usepackage{tikz}
\usepackage{tikz-feynman}
%\tikzfeynmanset{compat=1.0.0}
\begin{document}
%\newcommand{\pars}[1]{\left(\,{#1}\,\right)}
%$$
%\pars{A}
%$$
%\feynmandiagram [horizontal=a to b] {
%i1 -- [fermion] a -- [fermion] i2,
%a -- [photon] b,
%f1 -- [fermion] b -- [fermion] f2,
%};
%\feynmandiagram [horizontal=a to b] {
%i1 -- [fermion] a -- [fermion] i2,
%a -- [photon] b,
%f1 -- [fermion] b -- [fermion] f2,
%};
\title{Scribblings}
%\maketitle
\noindent
\begin{align*}
5 > 4/2 > 0
\end{align*}
\newpage
\noindent

%\section{Sources}
%[av_toggle_container initial='0' mode='accordion' sort='' av_uid='av-z56gl9']
%[av_toggle title='Sources' tags='' av_uid='av-kw33gd']
%[1] Pictures.
%\begin{verbatim}
%https://de.wikipedia.org/wiki/Gabriels_Horn#/media/Datei:GabrielHorn.png
%\end{verbatim}

%[/av_toggle]
%[/av_toggle_container]
\end{document}

That was strange! Html did not work (oops) in either code tag HTML, XML, or without specification, but Tex code worked, also without specification.
 
fresh_42 said:
That was strange! Html did not work (oops) in either code tag HTML, XML, or without specification, but Tex code worked
It doesn't seem entirely surprising that imbedding (or quoting) HTML in HTML inherently has a greater chance of failure than to embed snippets of other languages that share no syntax with the HTML/XML tag structure. As far as I can spot with a quick glance at the page source code, the quoting works in general using the standard "trick" of replacing the < and > characters with HTML entities, so one guess could be that it is the input or processing part that has a hiccup on a literal script tag.
 
  • Wow
Likes symbolipoint
The interesting part is that the "hiccups" don't occur when previewing the page, only when the post button is hit.
 
This is likely Some security to prevent script injections. Remove the script tags.
 
Greg Bernhardt said:
This is likely Some security to prevent script injections. Remove the script tags.
Yes. But whole point of the CODE function is to sandbox code so it can be posted without being activated. If I can't post SCRIPT, I can't ask for troubleshooting help. (Unless I mangle the tag)
 
[CODE lang="html" title="test"]<script src="/js/xf/preamble.min.js?_v=e949bd59"></script>[/CODE]
 
If I try to quote your post and post I get "Oops". Maybe admins are exempted from the filter.
 
  • #10
I can see from the chrome console it's from Cloudflare. Let me see what I can adjust.
 
  • #12
I have just tried to upload some code into the same thread. I did not include the script tags, just the raw js.

It still wouldn't allow it. Pretty safe to say the CODE feature is not working as-intended.

I am relegated to uploading a screen grab, like a noob.
 
Last edited:
  • #13
DaveC426913 said:
I have just tried to upload some code into the same thread. I did not include the script tags, just the raw js.
<script> tags are not the only payload using an application/x-www-form-urlencoded attack vector that Cloudflare has defences against.

DaveC426913 said:
Pretty safe to say the CODE feature is not working as-intended.
Nothing to do with the CODE feature (try removing the CODE tags to see) - this applies to any POST message using application/x-www-form-urlencoded.
 
  • #14
DaveC426913 said:
It still wouldn't allow it. Pretty safe to say the CODE feature is not working as-intended.
It's not the code feature, it's our use of Cloudflare. I haven't had time to sit down and figure out the settings that would allow it to pass without compromising security. It's not super intuitive.
 
  • #15
pbuk said:
Nothing to do with the CODE feature
OK, from a user perspective: there's a feature on PF whose purpose is to allow me to post code. The feature does not allow me to do what it purports - for whatever reason.


But good to know it's in good hands. I can work around it. Thanks Greg. Don't kill yourself on my account.
 
  • #16
DaveC426913 said:
OK, from a user perspective: there's a feature on PF whose purpose is to allow me to post code.
I am not aware which specific syntax that triggers the block, but if we assume it involves the presence of the open/close brackets using in HTML/XML it might be possible to post code where those "offending" characters are replaced with something that looks like them, .e.g. one of the unicode brakcets. Of course, anyone reading that code needs to be informed of the reverse replacement needed for it to be valid code again.

Example snippet from the wikipedia page linked above with < and > characters replaced with double angles ⟪ and ⟫:
[CODE title="Test"]⟪!DOCTYPE html⟫
⟪html class="client-nojs vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-sticky-header-enabled vector-toc-available" lang="en" dir="ltr"⟫
⟪head⟫
⟪meta charset="UTF-8"⟫
⟪title⟫Bracket (mathematics) - Wikipedia⟪/title⟫
⟪script⟫(function(){var className="client-js vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-sticky-header-enabled vector-toc-available";var cookie=document.cookie.match(/(?:^|; )enwikimwclientpreferences=([^;]+)/);if(cookie){cookie[1].split('%2C').forEach(function(pref){className=className.replace(new RegExp('(^| )'+pref.replace(/-clientpref-\w+$|[^\w-]+/g,'')+'-clientpref-\\w+( |$)'),'$1'+pref+'$2');});}document.documentElement.className=className;}());RLCONF={"wgBreakFrames":false,"wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""],"wgDefaultDateFormat":"dmy",
"wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgRequestId":"73edb9c9-ae39-421f-900d-7ba9444be9ac","wgCanonicalNamespace":"","wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"Bracket_(mathematics)","wgTitle":"Bracket (mathematics)","wgCurRevisionId":1270383543,"wgRevisionId":1270383543,"wgArticleId":11219603,"wgIsArticle":true,"wgIsRedirect":false,"wgAction":"view","wgUserName":null,"wgUserGroups":["*"],"wgCategories":["Articles with short description","Short description is different from Wikidata","Arithmetic","Mathematical notation"],"wgPageViewLanguage":"en","wgPageContentLanguage":"en","wgPageContentModel":"wikitext","wgRelevantPageName":"Bracket_(mathematics)","wgRelevantArticleId":11219603,"wgIsProbablyEditable":true,"wgRelevantPageIsProbablyEditable":true,"wgRestrictionEdit":[],"wgRestrictionMove":[],"wgNoticeProject":"wikipedia","wgCiteReferencePreviewsActive":false,
"wgFlaggedRevsParams":{"tags":{"status":{"levels":1}}},"wgMediaViewerOnClick":true,"wgMediaViewerEnabledByDefault":true,"wgPopupsFlags":0,"wgVisualEditor":{"pageLanguageCode":"en","pageLanguageDir":"ltr","pageVariantFallbacks":"en"},"wgMFDisplayWikibaseDescriptions":{"search":true,"watchlist":true,"tagline":false,"nearby":true},"wgWMESchemaEditAttemptStepOversample":false,"wgWMEPageLength":10000,"wgEditSubmitButtonLabelPublish":true,"wgULSPosition":"interlanguage","wgULSisCompactLinksEnabled":false,"wgVector2022LanguageInHeader":true,"wgULSisLanguageSelectorEmpty":false,"wgWikibaseItemId":"Q4953686","wgCheckUserClientHintsHeadersJsApi":["brands","architecture","bitness","fullVersionList","mobile","model","platform","platformVersion"],"GEHomepageSuggestedEditsEnableTopics":true,"wgGETopicsMatchModeEnabled":false,"wgGEStructuredTaskRejectionReasonTextInputEnabled":false,"wgGELevelingUpEnabledForUser":false};RLSTATE={"ext.globalCssJs.user.styles":"ready","site.styles":"ready",
"user.styles":"ready","ext.globalCssJs.user":"ready","user":"ready","user.options":"loading","ext.cite.styles":"ready","ext.math.styles":"ready","skins.vector.search.codex.styles":"ready","skins.vector.styles":"ready","skins.vector.icons":"ready","ext.wikimediamessages.styles":"ready","ext.visualEditor.desktopArticleTarget.noscript":"ready","ext.uls.interlanguage":"ready","wikibase.client.init":"ready","ext.wikimediaBadges":"ready"};RLPAGEMODULES=["ext.cite.ux-enhancements","site","mediawiki.page.ready","mediawiki.toc","skins.vector.js","ext.centralNotice.geoIP","ext.centralNotice.startUp","ext.gadget.ReferenceTooltips","ext.gadget.switcher","ext.urlShortener.toolbar","ext.centralauth.centralautologin","ext.popups","ext.visualEditor.desktopArticleTarget.init","ext.visualEditor.targetLoader","ext.echo.centralauth","ext.eventLogging","ext.wikimediaEvents","ext.navigationTiming","ext.uls.interface","ext.cx.eventlogging.campaigns","ext.cx.uls.quick.actions","wikibase.client.vector-2022",
"ext.checkUser.clientHints","ext.growthExperiments.SuggestedEditSession"];⟪/script⟫
⟪script⟫(RLQ=window.RLQ||[]).push(function(){mw.loader.impl(function(){return["user.options@12s5i",function($,jQuery,require,module){mw.user.tokens.set({"patrolToken":"+\\","watchToken":"+\\","csrfToken":"+\\"});
}];});});⟪/script⟫
⟪link rel="stylesheet" href="/w/load.php?lang=en&amp;modules=ext.cite.styles%7Cext.math.styles%7Cext.uls.interlanguage%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediaBadges%7Cext.wikimediamessages.styles%7Cskins.vector.icons%2Cstyles%7Cskins.vector.search.codex.styles%7Cwikibase.client.init&amp;only=styles&amp;skin=vector-2022"⟫
⟪script async="" src="/w/load.php?lang=en&amp;modules=startup&amp;only=scripts&amp;raw=1&amp;skin=vector-2022"⟫⟪/script⟫
⟪meta name="ResourceLoaderDynamicStyles" content=""⟫
⟪link rel="stylesheet" href="/w/load.php?lang=en&amp;modules=site.styles&amp;only=styles&amp;skin=vector-2022"⟫
⟪meta name="generator" content="MediaWiki 1.44.0-wmf.14"⟫
⟪meta name="referrer" content="origin"⟫
⟪meta name="referrer" content="origin-when-cross-origin"⟫
⟪meta name="robots" content="max-image-preview:standard"⟫
⟪meta name="format-detection" content="telephone=no"⟫
⟪meta name="viewport" content="width=1120"⟫
⟪meta property="og:title" content="Bracket (mathematics) - Wikipedia"⟫
⟪meta property="og:type" content="website"⟫
⟪link rel="alternate" media="only screen and (max-width: 640px)" href="//en.m.wikipedia.org/wiki/Bracket_(mathematics)"⟫
⟪link rel="alternate" type="application/x-wiki" title="Edit this page" href="/w/index.php?title=Bracket_(mathematics)&amp;action=edit"⟫
⟪link rel="apple-touch-icon" href="/static/apple-touch/wikipedia.png"⟫
⟪link rel="icon" href="/static/favicon/wikipedia.ico"⟫
⟪link rel="search" type="application/opensearchdescription+xml" href="/w/rest.php/v1/search" title="Wikipedia (en)"⟫
⟪link rel="EditURI" type="application/rsd+xml" href="//en.wikipedia.org/w/api.php?action=rsd"⟫
⟪link rel="canonical" href="https://en.wikipedia.org/wiki/Bracket_(mathematics)"⟫
⟪link rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/deed.en"⟫
⟪link rel="alternate" type="application/atom+xml" title="Wikipedia Atom feed" href="/w/index.php?title=Special:RecentChanges&amp;feed=atom"⟫
⟪link rel="dns-prefetch" href="//meta.wikimedia.org" /⟫
⟪link rel="dns-prefetch" href="login.wikimedia.org"⟫
⟪/head⟫[/CODE]
 
  • #17
DaveC426913 said:
OK, from a user perspective: there's a feature on PF whose purpose is to allow me to post code. The feature does not allow me to do what it purports - for whatever reason.
No, let me repeat that this is nothing to do with the code tags, you can't post <,s,c,r,i,p,t,> (without the commas) or other terms e.g. /,e,t,c,/,h,o,s,t,s whether they are in code tags or not.
 
Last edited:
  • #18
Filip Larsen said:
I am not aware which specific syntax that triggers the block, but if we assume it involves the presence of the open/close brackets using in HTML/XML
It doesn't, see for example the /,e,t,c,/,h,o,s,t,s example. However it IS based on specific strings (or more accurately, strings that decode to specific strings) so yes, ⟪script⟫ will work (but not &lt;scri... or &#x3C;scri...).
But so does the much simpler <scr-ipt> which will easily be picked up by any syntax highlighter and is the easiest work-around unless and until @Greg Bernhardt finds a switch to turn this off (note: I am not sure there is one).
 
  • #19
pbuk said:
No, let me repeat that this is nothing to do with the code tags,
You realize, as a user, it makes no difference to me why it doesn't work under-the-hood.

The simple fact is that the ability to put code in my post (a feature offered) is not functioning. All other features can be used by me the user; this one cannot.

As a former-developer-turned-UX guy, I am aware how easy it is to tell frsutrated users "Oh no it's not really broken; it's because of X", to which the users invariably say (or at least, think) "X or Y makes no difference to me the user. I assure you it is broken; I cannot use it."
 
Last edited:
  • #20
pbuk said:
It doesn't, see for example the /,e,t,c,/,h,o,s,t,s example.
Right, but that is an unlikely sequence to have in most code, even more so in HTML/JS snippets which I understand what Dave is mostly interested in, so using search and replace (with tags start/end characters, or as you suggest, inserting an extra character so general XML syntax highlighters still pick up the syntax) may be a useful work-around compared to not being able to post or having to post all code as image.
 
  • #21
pbuk said:
It doesn't, see for example the /,e,t,c,/,h,o,s,t,s example. However it IS based on specific strings (or more accurately, strings that decode to specific strings) so yes, ⟪script⟫ will work (but not &lt;scri... or &#x3C;scri...).
But so does the much simpler <scr-ipt> which will easily be picked up by any syntax highlighter and is the easiest work-around unless and until @Greg Bernhardt finds a switch to turn this off (note: I am not sure there is one).
Except that the code I tried to post contained no script tags at all. We learned that one the first time around (farther back the thread). This time, when I tried to post my code, I stripped out the script tags and posted the raw code. It still won't accept it.



pbuk said:
... a switch to turn this off (note: I am not sure there is one).
It would be astonishing to me, here, a quarter way into the 21st century, if a host like cloudflare has not learned how to sanitize inputs. (Perhaps they can Google it? Or perhaps someone can contact, like, anyone in their office and tip them off?) It is a relatively simple matter of escaping the offending characters/lines before they are consumed, and then unescaping them when being displayed.

To say, "We can't do that, let's just disallow the function" is to say "We forgot this is a standard part of modern hosting. BTW, has QA checked to see if we allo- the input and output of all t-enty-six letters of the alphabet? Do we still disallow \W?".




1739809755946.png
 
  • #22
DaveC426913 said:
Except that the code I tried to post contained no script tags at all. We learned that one the first time around (farther back the thread). This time, when I tried to post my code, I stripped out the script tags and posted the raw code. It still won't accept it.

And whatever it was that it wouldn't accept would still be rejected outside the CODE tags.

DaveC426913 said:
It would be astonishing to me, here, a quarter way into the 21st century, if a host like cloudflare has not learned how to sanitize inputs.

You misunderstanding the purpose of this filtering which is primarily to protect bandwidth from being consumed by responding to requests from bad actors and works precisely because Cloudflare know how to identify potentially malicious inputs.

Anyone who runs a public server will be aware that a huge propertion of HTTP requests are hacking attempts by bad actors - perhaps 50% of requests on a low-traffic site. Many of these attacks are crude attempts at exposing cross-site scripting (XSS), SQL injection or similar vulnerabilities which can be identified by the presence of certain strings in requests like '<scr-ipt>' or the '; DROP TABLE users' in the XCKD cartoon you linked.

It may well be that there is a setting to turn this filtering off (I haven't used Cloudflare for a long time), but Cloudflare is notoriously difficult to configure so we will have to let Greg continue to work on it.
 
  • #23
pbuk said:
And whatever it was that it wouldn't accept would still be rejected outside the CODE tags.
That simply means that the IT guy didn't solve the whole problem. The IT guy is tasked with getting the feature working for the user. If he has to do something with CloudFlare to do so, so be it. Else the CODE feature should be removed from the options.

Caveat to @Greg Bernhardt , @pbuk et al: this is an academic discussion about broader procedures; it is in no way directed at you or intended as blame. You're doing a bangup job for the pay you get, and I am not complaining.

I am playing Devils Avocado here, doffing my developer hat and donning my user hat. We're just talking here about user experience versus developer experience.

pbuk said:
You misunderstanding the purpose of this filtering which is primarily to protect bandwidth
Then the CODE feature should be removed if it's not compatible with the platform. It's not my role as user to understand why a feature doesn't work, simply to use it and assume, if it's offered, that I can.

pbuk said:
It may well be that there is a setting to turn this filtering off

Ideally, yes. I was riffing your comment in particular where you were doubting if it could be turned off
 
Last edited:

Similar threads

Replies
14
Views
3K
Replies
9
Views
2K
Replies
2
Views
2K
Replies
3
Views
2K
Replies
2
Views
1K
Replies
2
Views
2K
Replies
13
Views
2K
Replies
21
Views
6K
Replies
9
Views
4K
Back
Top