Jump to content
TNG Community
Geoff1959

TNG12 Non-xhtml1.0 transitional compliant

Recommended Posts

Geoff1959

I have worked hard to produce articles using historytemplate.php and have up until TNG12 managed to validate them for xhtml1.0

I believe that TNG was written to "talk" the same language, however with TNG12 some impure or non-compliant coding seems to have crept in.

The result is that my pages no longer validate.   The cause seems to be two CSS classes "Crossorigin" and "Integrity".

What are these used for? Why are they there? Why did the authors of this code fail to write it so that it is compliant with a standard that is pretty much a base line?

 

Share this post


Link to post
Share on other sites
Ken Roy
17 minutes ago, Geoff1959 said:

The cause seems to be two CSS classes "Crossorigin" and "Integrity".

Where are you seeing those as CSS classes?

A search for crossorigin in the TNG v12 files, shows both crossorigin and integrity as keywords used to validate that the jquery-3.3.1.min.js and jquery-ui.min.js are valid from code.jquery.com.

 

 

Share this post


Link to post
Share on other sites
Brett

Using https://validator.w3.org on some TNG 12 home pages shows errors there is no attribute "integrity" and there is no attribute "crossorigin" as well as others.

http://www.delvee.org/

http://www.centuriespast.co.uk/

https://www.devantie.net/

http://lythgoes.net/genealogy/

https://www.royandboucher.com

I could not identify those errors on the TNG 9, 10 and 11 sites that would validate.

 

 

 

 

Share this post


Link to post
Share on other sites
Geoff1959

 

14 hours ago, Ken Roy said:

Where are you seeing those as CSS classes?

A search for crossorigin in the TNG v12 files, shows both crossorigin and integrity as keywords used to validate that the jquery-3.3.1.min.js and jquery-ui.min.js are valid from code.jquery.com.

 

 

Like Brett said the errors seem to occur when I validate the home page.

I did a hunt on the net and found this which I had not seen before it goes back to 2015.

In 2018 support for these attributes was added to all major browsers.

https://stackoverflow.com/questions/32039568/what-are-the-integrity-and-crossorigin-attributes

"Integrity attribute is to allow the browser to check the file source to ensure that the code is never loaded if the source has been manipulated.

Crossorigin attribute is present when a request is loaded using 'CORS' which is now a requirement of SRI checking when not loaded from the 'same-origin'."

Reading the info I do get why the web community wanted the protection it offers but why would you then add them to TNG and not DO anything with them?

So I suppose the question is how do I fix this?

 

 

Share this post


Link to post
Share on other sites
Katryne

I do not know about Crossorigin, but as far as Integrity is concened, a guy presenting himself as Maintainer of the W3C HTML Checker (aka validator), announced in 2015 that he was on the verge of adding it to the validator, following many requests on Github. It might be that the W3C validator is a little behind the evolution of today's web. Personally, I stopped using the validator at least 10 years ago.

Share this post


Link to post
Share on other sites
Newfloridian

Katryne you may think that the validator's use as "a little behind the evolution of today's web" but I do note that on the TNG wiki 160 or so Mod writers wear it as a mark of pride (badge pf honour) that their mod is xhtml 1.0 compliant. I have been well aware that some internal TNG pages have not been compliant since the days of TNG 8.1.3 I gave up trying to validate them years ago. No, the current issue now affects user added pages. Pages written in historytemplate.php could always easily be made valid with a little effort - and indeed it is a very valuable tool to allow the end user to get his coding errors sorted out. Now, however there is no such option. All user added pages have lost the beautiful rewarding green valid screen because of these two new attributes. At a stroke if I did upgrade I would find over 500 of my pages now marked as invalid.

I have no idea what the purpose of "crossorigin" and "integrity" is. A little look around genlib.php in TNG12 (line 109-116) brings up the following (as there is only one instance of each word being flagged I doubt whether it comes from anywhere else):

 
if($isConnected) {
echo "<script src=\"https://code.jquery.com/jquery-3.3.1.min.js\" integrity=\"sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8=\" crossorigin=\"anonymous\"></script>\n";
echo "<script src=\"https://code.jquery.com/ui/1.12.1/jquery-ui.min.js\" integrity=\"sha256-VazP97ZCwtekAsvgPBSUwPFKdrwD3unUfSGVYrahUqU=\" crossorigin=\"anonymous\"></script>\n";
}
else {
echo "<script type=\"text/javascript\">// <![CDATA[\nwindow.jQuery || document.write(\"<script src='{$cms['tngpath']}js/jquery-3.3.1.min.js?v=910'>\\x3C/script>\")\n//]]></script>\n";
echo "<script type=\"text/javascript\">// <![CDATA[\nwindow.jQuery.ui || document.write(\"<script src='{$cms['tngpath']}js/jquery-ui-1.12.1.min.js?v=910'>\\x3C/script>\")\n//]]></script>\n";
}
I wonder what the effect would be if you deleted the first term, namely:
 
if($isConnected) {
echo "<script type=\"text/javascript\">// <![CDATA[\nwindow.jQuery || document.write(\"<script src='{$cms['tngpath']}js/jquery-3.3.1.min.js?v=910'>\\x3C/script>\")\n//]]></script>\n";
echo "<script type=\"text/javascript\">// <![CDATA[\nwindow.jQuery.ui || document.write(\"<script src='{$cms['tngpath']}js/jquery-ui-1.12.1.min.js?v=910'>\\x3C/script>\")\n//]]></script>\n";
}
I don't know very much about javascript to be abke to comment. However I do remember way back when that there was some issue with getting some javascript to run and if I remember right, that expression with CDATA in it was used as a mask.
 
I am still using (with no intention of doing otherwise) TNG10.1.3 - which happily runs with PHP 7.2 (PHP 7.3 on Wampserver) so I can't try it out myself. Perhaps someone with more knowledge could tell us whether anything would happen if the above was tried.
 
Alan

Share this post


Link to post
Share on other sites
Katryne

Alan, I took the liberty of writing that the W3C validator was " a little behind the evolution of today's web ", because 4 years ago the man who does the maintenance of the validator wrote that he was on the verge of adding the "integrity" thing (whatever it is) to the validator and that he has not done so yet.

And for my not using it anymore, it's a personnal decision. It's not a criticism.

 

Share this post


Link to post
Share on other sites
Ken Roy
27 minutes ago, Newfloridian said:

I do note that on the TNG wiki 160 or so Mod writers wear it as a mark of pride (badge pf honour) that their mod is xhtml 1.0 compliant

Alan,

I would not take the XHTML validation icon on the mods as necessarily being valid.  Too many mod articles are copied from other mod articles and might not get edited correctly.  I for one have not tested my mods for compliance in the last 10 years when we first wrote the wiki articles on XHMTL Validation

32 minutes ago, Newfloridian said:

I have no idea what the purpose of "crossorigin" and "integrity" is

.The purpose of both key words is to validate that the request to access the jquery  on their site is a valid request

Share this post


Link to post
Share on other sites
Newfloridian
6 minutes ago, Ken Roy said:

 

.The purpose of both key words is to validate that the request to access the jquery  on their site is a valid request

But what exactly does that mean? What is making what request to what and what is guaranteeing the the request is valid?  What happens if my own site is incapable of making such a request - I just don't understand.

Is this a request which is only something that TNG12 is capable - and that older version of TNG don't need to make? 

Alan

Share this post


Link to post
Share on other sites
bhemph

The integrity and crossorigin attributes are used by your browser to verify that the javascript that is being downloaded from a third party site like code.jquery.com has not been messed with, hacked, or changed to malware or a virus from the time when the integrity and crossorigin attributes were set up.  The browsers use it and it could be added to any version of TNG.  The W3C validator had the integrity and crossorigin attributes added to HTML5 validation, but not the XHTML or other validations.  You could add the attributes to the doctype to get the W3C validator to accept them and give you the green check.  I did that manually once just to see that it could be done, but I am pretty sure I deleted that file and would have to come up with the change anew.

Share this post


Link to post
Share on other sites
Geoff1959

There is some conjecture as to wether support for "integrity" and "crossorigin" has been added  to the W3C validator. I will post a question on stackoverflow/github to see if I can get a definitive answer.

Whilst very much a novice on this it seems that there are some fundamental points here.

The W3C validator is probably the first and most commonly used tool for validating Xhtml coding.

I personally have not seen anything in the release material for TNG12 that says these attributes were going to be introduced and what the impact could be.

Even better than informing us (the user) it would be superb if we were given the option of wether we wanted to implement it or not.

As illuded to in a previous post the error seems to be not that the attributes are there its that some of what is needed to make them work is not.

Following on from Newflorian's post I did try commenting out the first section in Genlib.ph forcing it to branch to the "else" path thus.

//if($isConnected) {

//echo "<script src=\"https://code.jquery.com/jquery-3.3.1.min.js\" integrity=\"sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8=\" crossorigin=\"anonymous\"></script>\n";

//echo "<script src=\"https://code.jquery.com/ui/1.12.1/jquery-ui.min.js\" integrity=\"sha256-VazP97ZCwtekAsvgPBSUwPFKdrwD3unUfSGVYrahUqU=\" crossorigin=\"anonymous\"></script>\n";

//}

else {

echo "<script type=\"text/javascript\">// <![CDATA[\nwindow.jQuery || document.write(\"<script src='{$cms['tngpath']}js/jquery-3.3.1.min.js?v=910'>\\x3C/script>\")\n//]]></script>\n";

echo "<script type=\"text/javascript\">// <![CDATA[\nwindow.jQuery.ui || document.write(\"<script src='{$cms['tngpath']}js/jquery-ui-1.12.1.min.js?v=910'>\\x3C/script>\")\n//]]></script>\n";

}

With this change I now get a clean validate on my homepage. It would be nice to fully understand the risk in doing this.

If I understand correctly the purpose of these attributes is to verify the integrity of Java when your site links to another site to download stuff?

If you only use content from your own site is there a risk?

I have not checked it and this is in no way an endorsement but there is (allegedly) an online validator  at onlineWebChek.com that supports the integrity attribute.

It would be interesting to re-eable the code in Genlib and see if it still fails. I'll report that one back.

Share this post


Link to post
Share on other sites
Newfloridian

As he doesn't monitor this forum, I asked Darrin about these two attributes and the effect it has on all TNG pages. He replied:

Those attributes are used with the inclusion of the jQuery library. I can't remember why they're there, although I know they have something to do with CORS (being able to use something from a different site). You can try editing genlib.php and just removing those attributes to see if everything still works without them.

As Geoff has pointed out, commenting out the attributes gives back page validation. 

The statement in question starts at line 109 in genlib.php in TNG12. I guess this though begs a more fundamental question. What is the variable $isConnected and how is it set. I was unable to find it in my own TNG10.1.3 genlip.php file. Also what is the function of the second clause. I can see some similar if not exactly the same lines in the section which starts if($sitever == "mobile") 
 
In TNG12 as written I think the logic reads:
 
If connected
do this (ie mark the useradded pages as invalid)
else (if not connected)
do that (what?)
 
Just deleting the first clause gives the logic:
 
If connected
do that (what?)
 
Is there now any consequence for the "not connected"?
 
So, is it OK just to comment out the first clause or should we remove the whole if statement?
Alan

Share this post


Link to post
Share on other sites
Ken Roy

Alan,

I do not think that is not an issue that can be resolved here.  Darrin added the code in TNG v12 to get jQuery for a reason and the code repository requirement needs those 2 keywords to return the current code version.
 

3 hours ago, Newfloridian said:

Those attributes are used with the inclusion of the jQuery library. I can't remember why they're there, although I know they have something to do with CORS (being able to use something from a different site). You can try editing genlib.php and just removing those attributes to see if everything still works without them.

As Geoff has pointed out, commenting out the attributes gives back page validation. 

I suspect that if you remove the two attributes, sooner or later you will no longer get the jQuery code that is used extensively in TNG.

3 hours ago, Newfloridian said:

Is there now any consequence for the "not connected"?

The not connected code part needs to remain in place so that WampServer environments that are not connect to the Internet at family reunions in the middle of no where can continue to work. 

 

Share this post


Link to post
Share on other sites
bhemph

In TNG 12, isConnected is set by Setup >> Configuration >> General Settings >> Miscellaneous >> I am using TNG offline.  Set to No, isConnected is true.  Set to Yes, isConnected is false.  This setting was added in TNG 12.0.1.  Setting this to Yes, looks like it will also disable maps, since TNG expects you to not be able to connect to the map server.  The share icons are also disabled, as per change #32 for TNG 12.0.0.

Change #56 of "A few other minor security issues were also patched." is probably the entry that denoted the addition of the integrity and crossorigin attributes.  It is possible that it was indicated with change #33 of the update of the jquery and jqueryui versions, since the jquery CDN now lists those attributes in the code you should use on your site.  They don't want exposed to all of your site cookies, hence the crossorigin="anonymous".

XHTML 1.0 looks like it has not been updated since the early 2000's, while XHTML 1.1 looks to not have been updated in nearly a decade.  Both standards were superseded in 2018.  So since CORS and SRI were recommended in 2014 and 2016 respectively, the attributes would only be effective in HTML5 standards.  So that would be an explanation of why those new attributes do not validate.  Changing everything in TNG to validate in HTML5 will take some doing though.

Share this post


Link to post
Share on other sites
Katryne

I hardly understand what it is about, but it looks like these 2 attributes add some security and provide a certificate for that security. I think that a better secrurity for our visitors is to be prefered to displaying a badge according to which our site complies to standards that are at least 10 years old.

Share this post


Link to post
Share on other sites
Brett
On 8/13/2019 at 5:34 AM, Newfloridian said:

I do note that on the TNG wiki 160 or so Mod writers wear it as a mark of pride (badge pf honour) that their mod is xhtml 1.0 compliant

Alan

It may be that some of these Mod developers have an understanding (looks like mistaken) that the base TNG code is XHTML1 transitional, as declared in the DOC statement.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

That is certainly what I thought.

Some may add the compliant badge for those, like myself, wishing to install Mods that are  'compliant'. I had not validated my TNG12+ but made sure that my local Mods were compliant, assuming the site pages would thus be compliant.

Brett

Share this post


Link to post
Share on other sites
Brett
On 8/13/2019 at 6:10 AM, Ken Roy said:

I would not take the XHTML validation icon on the mods as necessarily being valid.  Too many mod articles are copied from other mod articles and might not get edited correctly.

Where is the standard on writing Mod Wiki articles or a template for doing them, so information in articles provide correct information?

On 8/13/2019 at 6:10 AM, Ken Roy said:

I for one have not tested my mods for compliance in the last 10 years

You have not tested for compliance but still use the validation icon on some of your Mods and others you support.

Share this post


Link to post
Share on other sites
Geoff1959
On 8/12/2019 at 10:19 PM, bhemph said:

  I did that manually once just to see that it could be done, but I am pretty sure I deleted that file and would have to come up with the change anew.

I would be interested in trying that if you have any details.

Like i said earlier i'm a novice at this but it occurred to me. If "we" need to add something to get the code to validate does that mean that this code, that is there to offer protection against hacked code being downloaded to our site is not being used anyway?

Share this post


Link to post
Share on other sites
Katryne

Would it be a long way to have TNG written in HTML5 ? It makes more sense to transform it with today standards than try fiddling around to obtain a standard 10 or 20 years backwards.

Share this post


Link to post
Share on other sites
bhemph

https://krijnhoetmer.nl/stuff/html/strict-doctype-target/ has an example of how to do it.  There is a problem though https://www.quirksmode.org/oddsandends/dtd.html is where it is mentioned that browsers do not interpret the modified doctype correctly, even though it is valid HTML.  This is because you need to change your host to serve the pages as "application/xhtml+xml" instead of "text/html" in order for the browsers to properly interpret the xhtml.  Otherwise the browser tries reading the XHTML as HTML and then ends up with a tag mismatch that ends up with the mentioned issue.  https://www.quirksmode.org/bugreports/archives/2005/02/custom_dtds_int_1.html has more information in the comments.  I will send you a pm of the doctype fix config that will make the page validate and show you where and how to make the change, but do understand that it will mess up the display on nearly all browsers with the setup for most web hosts.  So use it at your own risk.  As Katryne suggests, it would be better to convert everything to HTML5 than to fiddle with everything to get XHTML 1.0 Transitional to validate properly.


Most browsers are built to try to do the best job of interpreting and displaying the HTML as possible.  So missing closing tags will get closed, attributes that are for a different doctype will get interpreted, and displays will try to look as if the tags and doctypes were done correctly.  This is part of why so many sites do not try to get validation, since the browser will take care of mistakes.  Unless you use a browser that only displays fully validated HTML pages, the browser knows that the page means for you to use the SRI and CORS to protect you and will do so for your own safety as well.

Brent

Share this post


Link to post
Share on other sites
Geoff1959

Hi Brent,

Thank you for your informative answer.  I received the following answer to a post that I made on "Stack Overflow"

Quote

“@Greyhound2008 — You don't seem to understand the problem. The validator you are using is correct (and this is as up to date on this subject as it is possible to be), the attributes you are using are not allowed in the version of HTML you are using. If you want to use the attributes, then change the version of HTML you are using and don't change the validator. – Quentin  “

So to put this to bed XHTML 1.0 is based upon HTML 4.0 and the two attributes in question are from HTML5.0

Despite not being part of XHTML1.0/HTML4.0  our current browsers are clever enough to know what to do with them.

Call me "old fashioned" but I still think there is  value in validating code against something. So the approach that I will use when adding new content will be to "comment out" the section that sets "connected".  Validate the page and address any errors then add the "branch" back.

Not ideal but the little green tick is confirmation that I have got my bit right. Now that I know what the two errors are I can live with that.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×