How to find the origin of some invasive html? - security

I've been working on the site https://founderspledge.com/ and just noticed that if you go to the main page, and open the Chrome console to view the source, there's an element that I certainly didn't put there:
<div class="pub_300x250 pub_300x250m pub_728x90 text-ad textAd
text_ad text_ads text-ads text-ad-links" style="position: absolute;">.</div>
It also doesn't show up when I run the site's code in localhost, or when I load the page source separately using Chrome's 'View Source' option.
I Googled the div's class list, and the top few hits were from anti-ad blocker software (eg https://github.com/sitexw/FuckAdBlock), which doesn't seem malign, but doesn't explain why it would be on this site.
So
1) How can I get rid of this element?
2) How might it have got there?
3) Does it imply there's a hole in the site's security?

UPDATE: Facebook have acknowledged this as a bug: https://developers.facebook.com/bugs/336662116810282/?hc_location=ufi
I'm so glad to find this issue - have been tearing my hair out to work out the same exact thing! I found it's coming from fbevents.js (https://connect.facebook.net/en_US/fbevents.js) version 2.8.7 - you can clearly see the code that adds the div in. It seems like this is something that has happened very recently? But likewise, I couldn't find anything other than references to anti adblocking scripts which had me concerned!

Related

Content scripts on prerendered pages?

Are Content Scripts (http://code.google.com/chrome/extensions/content_scripts.html) injected into prerendered pages (document.webkitVisibilityState== 'prerender') ?
I’ve been reading https://developers.google.com/chrome/whitepapers/prerender and https://developers.google.com/chrome/whitepapers/pagevisibility, and am trying to figure out how Content Scripts work with page prerendering/prefetching.
Thanks
TheZ, tomdemuyt: I’m afraid you guys are missing the point. ‘run_at’ specifies whether the content script is injected before or after the DOM is constructed.
However, I am talking about document.webkitVisibilityState, which can be ‘prerender’ (when the page is in a background/invisible tab), ‘hidden’, or ‘visible’. Note that webkitVisibilityState can transition from ‘prerender’ to ‘hidden’ or ‘visible’, or back and forth between ‘hidden’ and ‘visible’, without any changes being made to the DOM. (In order to better understand this, read the articles linked in my original post.)
I think I’ve been able to determine that content scripts ARE injected into prerendered pages. Here’s the problem, however: let’s say my content script does something that should not occur on a prerendered page. For instance, it does pageview count, or adds animation, neither of which should begin until the user is actually viewing the page. So it seems that my content script should do something like what’s shown in the code examples on https://developers.google.com/chrome/whitepapers/pagevisibility - check document.webkitVisibilityState, and also listen to the ‘webkitvisibilitychange’ event, and only do pageview count/start the animation when document.webkitVisibilityState is, or has transitioned to, ‘visible’.
I may have just answered my own question, but I just wanted to make sure that I was on the right track.
Thanks
As TheZ mentioned, you should ues the run_at setting.
Link to docs : http://code.google.com/chrome/extensions/content_scripts.html#registration

How wappalyzer(Mozila addon),GTmetrix finds the cms platform

I am currently developing a site which is not supposed to expose its developer magento platform(Sorry about that ).
I thought the wappalyzer(Mozila addon),GTmetrix site is finding the cms names by its html format but when i saw a empty white page with that tools it still shows me like am using Magento(there is nothing in the source view - its white page), so now how they are finding that am using magento. Any idea about hw they are working? I checked headers but there nothing specially mentioned as magento. Same goes with wordpress/joomla - simply wappalyzer(Mozila addon),GTmetrix finds the site platform even there is no html source.
So I guess something with in header(i might missing something) or what it can be? please advice. Attached screenshot of it.
Thanks in advance
You can view Wappalyzer's source code: (Ctrl+F Magento):
https://github.com/ElbertF/Wappalyzer/blob/master/share/js/apps.js
Most likely Wappalyzer picked up on the "Mage" JavaScript variable. You can see this by clicking the DOM tab in Firebug.
They are finding it using the words like mage,varien,magento. If it finds any of these words inside css/js file class,#id,inside comment then it found it as magento.
Also gtmetrix does one more step , like it is checking the css/js url path - if it fins the url like skin/frontend then it says it as magento.
Dont forget cookies...
I use FireBugs. Go to main menu -> Cookies
There is frontend in cookies.

Disappearing form fields on IE?

I have been working on this site for some time and just launched it for a client.
People have actually had trouble beleiving I had done it on WordPress, though I don't see why...
Anyway, I suddenly see that the form fields of one of the forms on the site (Newsletter Registration) disappear while on IE, you get to see them for a second and puff, they're gone. I did check this previously on IE and it worked, I especially used CSS3 PIE to get the rounded effect for the fields on IE...
Link to website: http://www.doritsivan.com (hope this isn't considered promotion, not my intention)
site is based on WordPress and jQuery.
resolved the issue, thank you all. it was a bad case of relative vs. absolute positioning and the fields decided to go away (literaly)
A bunch of debugging with firebug-lite (btw was real to get it to work on my IE, kept on crashing or refusing to load altogether combined with IE popup and security issues) and I understoid that this was the issue, then some pixel fiddling and all was good. rechecked in Chrome, saw that result was exactly the same. job done

disabling chrome translation for javascript

I am writing a Google Chrome extension. The targeted pages are written in Russian. Chrome translates to English. I can see some inconsistencies appear that seem to be linked to translation. For example, in the following code I check to see if I am in a particular folder:
if (searchResult[0].innerHTML.indexOf("Общая папка")!=-1) alert("You are in Shared Folder."); else (alert(searchResult[0].innerHTML));
If I reload the exact same page several times, the result is inconsistent. Sometimes it detects "Общая папка" but other times it does not. When it does not detect this phrase, the alert says I am in "Shared Folder" which is the translation for ""Общая папка." There appears to be no consistency here. Sometimes I am dealing with the original text (which is preferred) but sometimes I am dealing with crappy translations that are useless for my script because the translations change all the time.
Does anyone know how to fix this? Turning it off would probably fix it but actually the translations are useful and necessary for other aspects of the extension. I understand that the translation works with some secondary layer of the HTML (I have not researched this very well). Can I simply refer to the original in my script?
According to this answer, you can disable translation by placing the following element in the head portion of your web page:
Insert this to the head section of your web page.
<meta name="google" value="notranslate">
If you needed to programmatically disable translation, you could add that tag through JavaScript.
Not sure about disabling it, but looks like after a translation Chrome adds class="translated-ltr" to <html> element, so maybe you at least can detect when the page was translated and either warn a user that the extension might not work properly on this page or just disable it.

Web accessibility and h1-h6 headings - must all content be under these tags?

At the top of many pages in our web application we have error messages and notifications, 'Save' and other buttons, and then our h1 tag with the content title. When making a web application accessible, is it ever acceptable to have content above the top-level structure tag like we do here?
As a screen reader user I don't like content above the main heading. Normally I navigate by headings so would miss the error message. A better solution is to output an h1 heading above the error message, then leave the rest of your headings in tact giving you two h1 headings.
Yes (you can put stuff above them). The H simply means Heading. It's a question of what the heading relates to I guess.
My only caveat is, H2 shouldn't really be above H1, and H3 Shouldn't be above H2. But I don't think it's an actual rule.Websites have menus, warning, notifications. It's acceptable to put them above the rest of your content. I don't see how it would affect accessibility as long as your content is ordered logically. Look at the page CSS turned off. Does it look logical? That's the most important part of accessibility.
Although some people do go that extra mile and have the menu as the last item in the markup and use CSS to bring it back to the top. Personally, I find that solution counter productive. The menu is still important, it belongs at the top of the page.
Yes, just consider it is in that order that the user will get the information. So, if you just did an operation it sounds like a good idea to get any message related to it as the first thing. If it is a notification that appears on any page unrelated to what you are doing, I wouldn't put it above, as it might be a little weird.
Also you can use a text browser that doesn't use styles, it should look like a document with appropriate headers.
Heading tags are used to indicate the hierarchy of the content below it. You should only have one h1 tag and it should be the first content to appear on your page (this is usually the name of the site). Also, you shouldn't skip heading tags when drilling down through different tiers of content.
In your case, you can still use CSS to position items above the h1 tag as long as it is in the correct order in the html.
I assume the elements above the heading are used by JavaScript. In that case, it's preferable if they are created by JavaScript, not included in the source of the page.
To return to your original question, it is probably best that they be at the foot of the page. However, if they are hidden using the CSS "display: none;" or "visibility: hidden;" properties then they will not be seen by most (perhaps all?) screenreaders or by many other assistive technologies, and so should not be an issue. I've written a fairly detailed explanation of why accessibility technology ignores such elements.
Of course if somebody disables CSS things are going to look pretty messy. If there is content on the page that can be used even when CSS and/or JavaScript are disabled, then putting those elements at the bottom of the page will at least make things less cluttered.

Resources