HTML Index not working in Win XP

Eric Thorniley · Sat Jan 25, 2003 4:51 am

I compiled a help file to HTML with index and it all seemed fine. Uploaded it to a web site, and the index stopped working. So, I tried the EC Software site - that did not work for me either.

Copying the _kwindex file from the site using IE produced a file that was different to the one I uploaded. In the file there are lots of entries that start:

<a href="javascript:void(0)" onMouseOver="JavaScript:displayLink('<a href=

They all started with
<a href="javascript:void(0)" onMouseOver="JavaScript:displayLink(><a href=

That is the ' was replaced with a >

I think this must be the result of one of those security fixes for "unchecked buffer overflow". Something seems to have looked at the code and decided that <a href followed by <a href again is illegal and the first one should be terminated.

Tried IE5 on a different machine (Win95 - but on the same network and firewall) - all OK. Tried Netscape 7.0 on the original machine - still had the problem.

So there is an incompatibility - but I'm not sure quite what with, but I had tried turning off Norton etc without success.

Next step then was a work-around as follows:

In the keyword file replace every instance of ('<a with (' <a i.e. add a space between the ' and the <. Then it is the space that gets replaced with a >.

Also change the

function displayLink(aLink) {
with (kwPopup)
{
actTip = "";
hide();
template = '<table bgcolor="#000000" cellpadding="1" cellspacing="0" border="0">' +
'<tr><td><table cellpadding="3" cellspacing="1" border="0">' +
'<tr><td bgcolor="#f0f0f0"><span class="idxlink">Topics Found</span></td></tr>';
template = template + '<tr><td align="left" bgcolor="#ffffff"><span class="idxlink">' + aLink + '</span></td></tr>';
template = template + '</table></td></tr></table>';
show('links');
}

to

function displayLink(aLink) {
with (kwPopup)
{
actTip = "";
hide();
template = '<table bgcolor="#000000" cellpadding="1" cellspacing="0" border="0">' +
'<tr><td><table cellpadding="3" cellspacing="1" border="0">' +
'<tr><td bgcolor="#f0f0f0"><span class="idxlink">Topics Found</span></td></tr>';
template = template + '<tr><td align="left" bgcolor="#ffffff"><span class="idxlink">' + aLink.substr(1) + '</span></td></tr>';
template = template + '</table></td></tr></table>';
show('links');
}

That is add .substr(1) to alink. This removes either the space we put in, or the > if whatever it is has modified it.

Anyone else had a problem with this?

Sat Jan 25, 2003 7:31 pm

That's pretty strange and I am quite sure that this has nothing to do with Windows XP.

Do you perhaps use an odd browser plugin that validates the HTML source code before the browser displays it? MSIE may ignore some JavaScript code (you never know) but it must not change it.
Help & Manual exports a proper

Code: Select all

<a href="javascript:void(0)" onMouseOver="JavaScript:displayLink('<a href=

Eric Thorniley · Sat Jan 25, 2003 9:29 pm

I agree it is pretty odd. I initially blamed IE6 - but it should be a plain vanilla installation. So I downloaded and installed a clean version of Netscape and the same thing happened!

I'll try a low-level HHTP get on the file and see whether it gets modified. It is defintely OK on my internet provider's site - I've tried FTP to get it back.

It does smack of something that is deciding it is malformed HTML. If it is a bit of Windows then we'll need a work-around in the system. If it is just something on this one computer then it is not so important.

Eric Thorniley · Sat Jan 25, 2003 11:22 pm

Building a straight HTTP get program was the answer - I had been confused by IE's cached copies of the file. The problem is Norton Personal Firewall 2002. It does it every time even if you disable every option. Norton Internet Security does not cause a problem if the firewall bit is disabled.

I'll report it to them on Monday when they come back to life! The trouble is that I guess H&M index pages won't work for anyone with it until Symantec fix it. I think I'll change to something else (that is instead of Norton, not instead of H&M - like everyone that's bought it I think it's wonderful.)

Sun Jan 26, 2003 1:39 am

I am happy that you found the source of the problem.

Please tell Symantec that this is clearly a bug in Norton Personal Firewall. It obviosly doesn't regard the single quotation mark which separates the parameter string from the command. The different (double vs. single) quotation marks probably confuse the program.

Eric Thorniley · Sun Jan 26, 2003 2:36 pm

I thought I had better check that the html page was really valid. It does not do too well with the Tidy program or the W3C validator. So I fixed it by hand (no effect on the Norton issue.) If you want a glance at a file that passes the test look at http://homepage.ntlworld.com/eric.thorniley/MOS/ where there is a help system in temporary residence. Its keyword file passes the tests.

I'll log the details later.

Eric Thorniley · Mon Jan 27, 2003 2:53 am

Sorry - more to add to this.

The version I mentioned before was updated by me to stop "Tidy" complaining about it - and that did not fix the Norton problem.

However, if I let Tidy "legalise" it, it fixes it. A version that has been fixed this way is also on my site at http://homepage.ntlworld.com/eric.thorn ... windex.htm

If you don't have "Tidy" look at http://tidy.sourceforge.net/ . Also there is a GUI version at http://users.rcn.com/creitzel/tidy.html I found it all when looking on the W3C site so it is obviously considered highly in the right circles.

So I fear the Symantec response is going to be "it's not legal html" - still I'll try it with them. I really don't think they should be changing data as they process it - they might reject it, but not change it!

Mon Jan 27, 2003 11:30 am

It is valid HTML. The onMouseOver event calls a JavaScript with a string as the parameter. This could be any string and any function, it's not malicious code per se.

I understand that Symantec must change the HTML source code to prevent the browser from executing possibly dangerous HTML code. They have no other chance to make their solution work. However, I'm not sure what we could do about this. The source code is valid and absolutely correct. We need the "string in a string" function to make the popup work.

Eric Thorniley · Mon Jan 27, 2003 1:46 pm

The "string in the string" does still work when "Tidy" has fixed it - which it does by selectively replacing "<" with "<". I thought that would break it but it doesn't. It still works in IE and Netscape.

I'm still trying to find something that defines the conditions under which you must (as opposed to just might like to) escape such characters. All the specs I have come across seem to assume that the basic rules are pre-defined. I guess it is somewhere in the underying SGML spec but I can't find it.

In the version inthe help system on my site, I manually fixed a few minor bits that "Tidy" complained about and added a couple of lines to make the W3C validator work (it needs the character set defining and likes a !DOCTYPE declaration) but left the "<" in the file as per the original. It then passed the validator. (The version on my site has my Norton extra-space work-around in it, but it passed the validator without it.)

Tthe validator is at http://validator.w3.org. To run it on my hand-modified version click http://validator.w3.org/check?uri=http: ... windex.htm

It won't work on any other versions (including the one that has been simply processed by Tidy.) It is obviously pretty fussy - try it with
http://validator.w3.org/check?uri=http://www.bbc.co.uk
or
http://validator.w3.org/check?uri=http: ... mantec.com

I think I might be able to get H&M to create a version it will validate with a minor tweak to the template - I'll try it and let you know what happens. If we can get that to pass the validator when Symantec's own site fails, there can be no argument!

Eric Thorniley · Mon Jan 27, 2003 9:05 pm

I think I've found enough documenation to prove absolutely that the use of the "<" character is valid without escaping it - I've even found some instances on the Symantec web site. However, I have not found anything other than H&M help files that happens to use it inside the two levels of quotes. I've tried swapping the ' and " characters around and Norton still falls over.

I have changed the template so the validity tester will run. It is not quite perfect. Some very minor tweaks and H&M web pages would pass the validator, and there is not much on the web that does. (Microsoft and Netscape both have main pages that won't validate!) I have quite a few items to note - I think it may be best if I e-mail them to the EC support site rather than going into every minor detail here.

Eric Thorniley · Sat Feb 08, 2003 3:30 pm

After a couple of attempts to get Symantec to respond sensibly, I received the following. So, if someone says they can't get your index page to work here is the answer!

Hi Eric,

Welcome back to Symantec Online Technical Support.

In your message you wrote:
>I had avoided using the browser cache by building direct http get
>application. (I had previously tried clearing the cache in the browser
>before going to such lengths.

Eric, please accept our apologies for any inconvenience this may have caused you. This issue is fixed in Norton Internet Security (NIS) 2003 product. This is a known issue and isn't something we can fix with the 2002 versions.

If you need further assistance, please do not hesitate to contact us.

Regards,

Mahesh R.
Symantec Authorized Technical Support