Does <Code> feature not work?

[DaveC426913]

I cannot post code with the CODE tags.
Here is a screen grab of the code I tried to post, and the error it thorws when I try to save it.

I am going to start small and see where it breaks.

It chokes on any script line.

[CODE lang="html" title="Title"]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>My first three.js app</title>
<style>
body { margin: 0; }
</style>

</head>
<body>
</body>
</html>

[/CODE]

 

[fresh_42]

Works fine for me: HTML, XML, general code. Edit, preview, and all. I just have to forget the idea of posting it. Then I receive an oops, too.

 

[fresh_42]

\documentclass[12pt,a4paper]{article}
%\usepackage[latin1]{inputenc}
\usepackage[utf8]{inputenc}
\usepackage{amsmath}
\usepackage{amsfonts}
\usepackage{amssymb}
\usepackage{graphicx}
\usepackage{stmaryrd}
\usepackage{tikz}
\usepackage{tikz-feynman}
%\tikzfeynmanset{compat=1.0.0}
\begin{document}
%\newcommand{\pars}[1]{\left(\,{#1}\,\right)}
%$$
%\pars{A}
%$$
%\feynmandiagram [horizontal=a to b] {
%i1 -- [fermion] a -- [fermion] i2,
%a -- [photon] b,
%f1 -- [fermion] b -- [fermion] f2,
%};
%\feynmandiagram [horizontal=a to b] {
%i1 -- [fermion] a -- [fermion] i2,
%a -- [photon] b,
%f1 -- [fermion] b -- [fermion] f2,
%};
\title{Scribblings}
%\maketitle
\noindent
\begin{align*}
5 > 4/2 > 0
\end{align*}
\newpage
\noindent

%\section{Sources}
%[av_toggle_container initial='0' mode='accordion' sort='' av_uid='av-z56gl9']
%[av_toggle title='Sources' tags='' av_uid='av-kw33gd']
%[1] Pictures.
%\begin{verbatim}
%https://de.wikipedia.org/wiki/Gabriels_Horn#/media/Datei:GabrielHorn.png
%\end{verbatim}

%[/av_toggle]
%[/av_toggle_container]
\end{document}

That was strange! Html did not work (oops) in either code tag HTML, XML, or without specification, but Tex code worked, also without specification.

 

[Filip Larsen]

That was strange! Html did not work (oops) in either code tag HTML, XML, or without specification, but Tex code worked

It doesn't seem entirely surprising that imbedding (or quoting) HTML in HTML inherently has a greater chance of failure than to embed snippets of other languages that share no syntax with the HTML/XML tag structure. As far as I can spot with a quick glance at the page source code, the quoting works in general using the standard "trick" of replacing the < and > characters with HTML entities, so one guess could be that it is the input or processing part that has a hiccup on a literal script tag.

 

[fresh_42]

The interesting part is that the "hiccups" don't occur when previewing the page, only when the post button is hit.

 

[Greg Bernhardt]

This is likely Some security to prevent script injections. Remove the script tags.

 

[DaveC426913]

This is likely Some security to prevent script injections. Remove the script tags.

Yes. But whole point of the CODE function is to sandbox code so it can be posted without being activated. If I can't post SCRIPT, I can't ask for troubleshooting help. (Unless I mangle the tag)

 

[Greg Bernhardt]

[CODE lang="html" title="test"]<script src="/js/xf/preamble.min.js?_v=e949bd59"></script>[/CODE]

 

[mfb]

If I try to quote your post and post I get "Oops". Maybe admins are exempted from the filter.

 

[Greg Bernhardt]

I can see from the chrome console it's from Cloudflare. Let me see what I can adjust.

 

[pbuk]

It chokes on any script line.

This is known behaviour related to defences built in to the Cloudflare CDN used by PF. See https://www.physicsforums.com/threads/cannot-type-etc-hosts-without-the-spaces.1045236/post-6796951

 

[DaveC426913]

I have just tried to upload some code into the same thread. I did not include the script tags, just the raw js.

It still wouldn't allow it. Pretty safe to say the CODE feature is not working as-intended.

I am relegated to uploading a screen grab, like a noob.

 

[pbuk]

I have just tried to upload some code into the same thread. I did not include the script tags, just the raw js.

<script> tags are not the only payload using an application/x-www-form-urlencoded attack vector that Cloudflare has defences against.

Pretty safe to say the CODE feature is not working as-intended.

Nothing to do with the CODE feature (try removing the CODE tags to see) - this applies to any POST message using application/x-www-form-urlencoded.

 

[Greg Bernhardt]

It still wouldn't allow it. Pretty safe to say the CODE feature is not working as-intended.

It's not the code feature, it's our use of Cloudflare. I haven't had time to sit down and figure out the settings that would allow it to pass without compromising security. It's not super intuitive.

 

[DaveC426913]

Nothing to do with the CODE feature

OK, from a user perspective: there's a feature on PF whose purpose is to allow me to post code. The feature does not allow me to do what it purports - for whatever reason.


But good to know it's in good hands. I can work around it. Thanks Greg. Don't kill yourself on my account.

 

[Filip Larsen]

OK, from a user perspective: there's a feature on PF whose purpose is to allow me to post code.

I am not aware which specific syntax that triggers the block, but if we assume it involves the presence of the open/close brackets using in HTML/XML it might be possible to post code where those "offending" characters are replaced with something that looks like them, .e.g. one of the unicode brakcets. Of course, anyone reading that code needs to be informed of the reverse replacement needed for it to be valid code again.

Example snippet from the wikipedia page linked above with < and > characters replaced with double angles ⟪ and ⟫:
[CODE title="Test"]⟪!DOCTYPE html⟫
⟪html class="client-nojs vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-sticky-header-enabled vector-toc-available" lang="en" dir="ltr"⟫
⟪head⟫
⟪meta charset="UTF-8"⟫
⟪title⟫Bracket (mathematics) - Wikipedia⟪/title⟫
⟪script⟫(function(){var className="client-js vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-sticky-header-enabled vector-toc-available";var cookie=document.cookie.match(/(?:^|; )enwikimwclientpreferences=([^;]+)/);if(cookie){cookie[1].split('%2C').forEach(function(pref){className=className.replace(new RegExp('(^| )'+pref.replace(/-clientpref-\w+$|[^\w-]+/g,'')+'-clientpref-\\w+( |$)'),'$1'+pref+'$2');});}document.documentElement.className=className;}());RLCONF={"wgBreakFrames":false,"wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""],"wgDefaultDateFormat":"dmy",
"wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgRequestId":"73edb9c9-ae39-421f-900d-7ba9444be9ac","wgCanonicalNamespace":"","wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"Bracket_(mathematics)","wgTitle":"Bracket (mathematics)","wgCurRevisionId":1270383543,"wgRevisionId":1270383543,"wgArticleId":11219603,"wgIsArticle":true,"wgIsRedirect":false,"wgAction":"view","wgUserName":null,"wgUserGroups":["*"],"wgCategories":["Articles with short description","Short description is different from Wikidata","Arithmetic","Mathematical notation"],"wgPageViewLanguage":"en","wgPageContentLanguage":"en","wgPageContentModel":"wikitext","wgRelevantPageName":"Bracket_(mathematics)","wgRelevantArticleId":11219603,"wgIsProbablyEditable":true,"wgRelevantPageIsProbablyEditable":true,"wgRestrictionEdit":[],"wgRestrictionMove":[],"wgNoticeProject":"wikipedia","wgCiteReferencePreviewsActive":false,
"wgFlaggedRevsParams":{"tags":{"status":{"levels":1}}},"wgMediaViewerOnClick":true,"wgMediaViewerEnabledByDefault":true,"wgPopupsFlags":0,"wgVisualEditor":{"pageLanguageCode":"en","pageLanguageDir":"ltr","pageVariantFallbacks":"en"},"wgMFDisplayWikibaseDescriptions":{"search":true,"watchlist":true,"tagline":false,"nearby":true},"wgWMESchemaEditAttemptStepOversample":false,"wgWMEPageLength":10000,"wgEditSubmitButtonLabelPublish":true,"wgULSPosition":"interlanguage","wgULSisCompactLinksEnabled":false,"wgVector2022LanguageInHeader":true,"wgULSisLanguageSelectorEmpty":false,"wgWikibaseItemId":"Q4953686","wgCheckUserClientHintsHeadersJsApi":["brands","architecture","bitness","fullVersionList","mobile","model","platform","platformVersion"],"GEHomepageSuggestedEditsEnableTopics":true,"wgGETopicsMatchModeEnabled":false,"wgGEStructuredTaskRejectionReasonTextInputEnabled":false,"wgGELevelingUpEnabledForUser":false};RLSTATE={"ext.globalCssJs.user.styles":"ready","site.styles":"ready",
"user.styles":"ready","ext.globalCssJs.user":"ready","user":"ready","user.options":"loading","ext.cite.styles":"ready","ext.math.styles":"ready","skins.vector.search.codex.styles":"ready","skins.vector.styles":"ready","skins.vector.icons":"ready","ext.wikimediamessages.styles":"ready","ext.visualEditor.desktopArticleTarget.noscript":"ready","ext.uls.interlanguage":"ready","wikibase.client.init":"ready","ext.wikimediaBadges":"ready"};RLPAGEMODULES=["ext.cite.ux-enhancements","site","mediawiki.page.ready","mediawiki.toc","skins.vector.js","ext.centralNotice.geoIP","ext.centralNotice.startUp","ext.gadget.ReferenceTooltips","ext.gadget.switcher","ext.urlShortener.toolbar","ext.centralauth.centralautologin","ext.popups","ext.visualEditor.desktopArticleTarget.init","ext.visualEditor.targetLoader","ext.echo.centralauth","ext.eventLogging","ext.wikimediaEvents","ext.navigationTiming","ext.uls.interface","ext.cx.eventlogging.campaigns","ext.cx.uls.quick.actions","wikibase.client.vector-2022",
"ext.checkUser.clientHints","ext.growthExperiments.SuggestedEditSession"];⟪/script⟫
⟪script⟫(RLQ=window.RLQ||[]).push(function(){mw.loader.impl(function(){return["user.options@12s5i",function($,jQuery,require,module){mw.user.tokens.set({"patrolToken":"+\\","watchToken":"+\\","csrfToken":"+\\"});
}];});});⟪/script⟫
⟪link rel="stylesheet" href="/w/load.php?lang=en&amp;modules=ext.cite.styles%7Cext.math.styles%7Cext.uls.interlanguage%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediaBadges%7Cext.wikimediamessages.styles%7Cskins.vector.icons%2Cstyles%7Cskins.vector.search.codex.styles%7Cwikibase.client.init&amp;only=styles&amp;skin=vector-2022"⟫
⟪script async="" src="/w/load.php?lang=en&amp;modules=startup&amp;only=scripts&amp;raw=1&amp;skin=vector-2022"⟫⟪/script⟫
⟪meta name="ResourceLoaderDynamicStyles" content=""⟫
⟪link rel="stylesheet" href="/w/load.php?lang=en&amp;modules=site.styles&amp;only=styles&amp;skin=vector-2022"⟫
⟪meta name="generator" content="MediaWiki 1.44.0-wmf.14"⟫
⟪meta name="referrer" content="origin"⟫
⟪meta name="referrer" content="origin-when-cross-origin"⟫
⟪meta name="robots" content="max-image-preview:standard"⟫
⟪meta name="format-detection" content="telephone=no"⟫
⟪meta name="viewport" content="width=1120"⟫
⟪meta property="og:title" content="Bracket (mathematics) - Wikipedia"⟫
⟪meta property="og:type" content="website"⟫
⟪link rel="alternate" media="only screen and (max-width: 640px)" href="//en.m.wikipedia.org/wiki/Bracket_(mathematics)"⟫
⟪link rel="alternate" type="application/x-wiki" title="Edit this page" href="/w/index.php?title=Bracket_(mathematics)&amp;action=edit"⟫
⟪link rel="apple-touch-icon" href="/static/apple-touch/wikipedia.png"⟫
⟪link rel="icon" href="/static/favicon/wikipedia.ico"⟫
⟪link rel="search" type="application/opensearchdescription+xml" href="/w/rest.php/v1/search" title="Wikipedia (en)"⟫
⟪link rel="EditURI" type="application/rsd+xml" href="//en.wikipedia.org/w/api.php?action=rsd"⟫
⟪link rel="canonical" href="https://en.wikipedia.org/wiki/Bracket_(mathematics)"⟫
⟪link rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/deed.en"⟫
⟪link rel="alternate" type="application/atom+xml" title="Wikipedia Atom feed" href="/w/index.php?title=Special:RecentChanges&amp;feed=atom"⟫
⟪link rel="dns-prefetch" href="//meta.wikimedia.org" /⟫
⟪link rel="dns-prefetch" href="login.wikimedia.org"⟫
⟪/head⟫[/CODE]

 

[pbuk]

OK, from a user perspective: there's a feature on PF whose purpose is to allow me to post code. The feature does not allow me to do what it purports - for whatever reason.

No, let me repeat that this is nothing to do with the code tags, you can't post <,s,c,r,i,p,t,> (without the commas) or other terms e.g. /,e,t,c,/,h,o,s,t,s whether they are in code tags or not.

 

[pbuk]

I am not aware which specific syntax that triggers the block, but if we assume it involves the presence of the open/close brackets using in HTML/XML

It doesn't, see for example the /,e,t,c,/,h,o,s,t,s example. However it IS based on specific strings (or more accurately, strings that decode to specific strings) so yes, ⟪script⟫ will work (but not &lt;scri... or &#x3C;scri...).
But so does the much simpler <scr-ipt> which will easily be picked up by any syntax highlighter and is the easiest work-around unless and until @Greg Bernhardt finds a switch to turn this off (note: I am not sure there is one).

 

[DaveC426913]

No, let me repeat that this is nothing to do with the code tags,

You realize, as a user, it makes no difference to me why it doesn't work under-the-hood.

The simple fact is that the ability to put code in my post (a feature offered) is not functioning. All other features can be used by me the user; this one cannot.

As a former-developer-turned-UX guy, I am aware how easy it is to tell frsutrated users "Oh no it's not really broken; it's because of X", to which the users invariably say (or at least, think) "X or Y makes no difference to me the user. I assure you it is broken; I cannot use it."

 

[Filip Larsen]

It doesn't, see for example the /,e,t,c,/,h,o,s,t,s example.

Right, but that is an unlikely sequence to have in most code, even more so in HTML/JS snippets which I understand what Dave is mostly interested in, so using search and replace (with tags start/end characters, or as you suggest, inserting an extra character so general XML syntax highlighters still pick up the syntax) may be a useful work-around compared to not being able to post or having to post all code as image.

 

[DaveC426913]

It doesn't, see for example the /,e,t,c,/,h,o,s,t,s example. However it IS based on specific strings (or more accurately, strings that decode to specific strings) so yes, ⟪script⟫ will work (but not &lt;scri... or &#x3C;scri...).
But so does the much simpler <scr-ipt> which will easily be picked up by any syntax highlighter and is the easiest work-around unless and until @Greg Bernhardt finds a switch to turn this off (note: I am not sure there is one).

Except that the code I tried to post contained no script tags at all. We learned that one the first time around (farther back the thread). This time, when I tried to post my code, I stripped out the script tags and posted the raw code. It still won't accept it.

... a switch to turn this off (note: I am not sure there is one).

It would be astonishing to me, here, a quarter way into the 21st century, if a host like cloudflare has not learned how to sanitize inputs. (Perhaps they can Google it? Or perhaps someone can contact, like, anyone in their office and tip them off?) It is a relatively simple matter of escaping the offending characters/lines before they are consumed, and then unescaping them when being displayed.

To say, "We can't do that, let's just disallow the function" is to say "We forgot this is a standard part of modern hosting. BTW, has QA checked to see if we allo- the input and output of all t-enty-six letters of the alphabet? Do we still disallow \W?".

 

[pbuk]

Except that the code I tried to post contained no script tags at all. We learned that one the first time around (farther back the thread). This time, when I tried to post my code, I stripped out the script tags and posted the raw code. It still won't accept it.

And whatever it was that it wouldn't accept would still be rejected outside the CODE tags.

It would be astonishing to me, here, a quarter way into the 21st century, if a host like cloudflare has not learned how to sanitize inputs.

You misunderstanding the purpose of this filtering which is primarily to protect bandwidth from being consumed by responding to requests from bad actors and works precisely because Cloudflare know how to identify potentially malicious inputs.

Anyone who runs a public server will be aware that a huge propertion of HTTP requests are hacking attempts by bad actors - perhaps 50% of requests on a low-traffic site. Many of these attacks are crude attempts at exposing cross-site scripting (XSS), SQL injection or similar vulnerabilities which can be identified by the presence of certain strings in requests like '<scr-ipt>' or the '; DROP TABLE users' in the XCKD cartoon you linked.

It may well be that there is a setting to turn this filtering off (I haven't used Cloudflare for a long time), but Cloudflare is notoriously difficult to configure so we will have to let Greg continue to work on it.

 

[DaveC426913]

And whatever it was that it wouldn't accept would still be rejected outside the CODE tags.

That simply means that the IT guy didn't solve the whole problem. The IT guy is tasked with getting the feature working for the user. If he has to do something with CloudFlare to do so, so be it. Else the CODE feature should be removed from the options.

Caveat to @Greg Bernhardt , @pbuk et al: this is an academic discussion about broader procedures; it is in no way directed at you or intended as blame. You're doing a bangup job for the pay you get, and I am not complaining.

I am playing Devils Avocado here, doffing my developer hat and donning my user hat. We're just talking here about user experience versus developer experience.

You misunderstanding the purpose of this filtering which is primarily to protect bandwidth

Then the CODE feature should be removed if it's not compatible with the platform. It's not my role as user to understand why a feature doesn't work, simply to use it and assume, if it's offered, that I can.

It may well be that there is a setting to turn this filtering off

Ideally, yes. I was riffing your comment in particular where you were doubting if it could be turned off