milov.nl: by category: javascript

fixing DHTML drag-and-drop after applying latest IE security update

using :visited and expression() to detect any visited link

There's been some talk (see Anne, CollyLogic) about it being possible to use the :visited pseudo-class and background-image urls to detect if a user has visited a particular link.

Luckily for Internet Explorer users, they are unaffected because IE doesn't support the [href=] selector. Unfortunately, there's another method that does work in IE and is even more dangerous...

1. posted by Thiemo at 16:02 on May 26, 2004

What's so dangerous about this? You can do the same since HTML 1.0:

<a href="tracker.php?url=slashdot.org">

2. posted by P01 at 16:02 on May 26, 2004

It's possible too extract all the URLs of the HTML markup to create the corresponding CSS rules for the standard compliant browsers, and finally throw the HTML + the extra CSS rules to the client.

Indeed, if the tracker.php script goes recursively through the pages visited by the user it can reveal some really valuable infos ( imagine the extra incomes an ad system could ask if it implements that sort of sniffer ) and eventually set a breach for the sites using an authentication via the parameters sent in GET ( which is whatever, a security no-no ).

The violation of privacy could reach an higher scale if the spamming companies used that exploit ( if don't already do ) in their mails.

3. posted by milov at 16:07 on May 26, 2004

Thiemo, the big difference is is that with this technique, the visitor doesn't *click* on a link at all. Simply loading a page of links is enough to alert the site owner of which of those links the current visitor has visited before.

4. posted by Jan! at 16:12 on May 26, 2004

Also, if you're serving dynamic pages anyway, you can just as well add an id attribute to every link, and style it in CSS with: #link857456 { background: url(tracker.php?id=link857456) }

Apart from that, I don't get why everyone's upset all of a sudden when this has been known (and applied) for years.

5. posted by Thiemo at 16:20 on May 26, 2004

If a particular URL is in my browsers history or not does not mean anything. (What's important here: You can't read the history. Instead, you have to know the URL first!) Turn off your internet connection if you are afraid of being tracked.

6. posted by milov at 16:36 on May 26, 2004

Jan!: You're right, with a dynamic site this whole expression() trick isn't really needed. And I wouldn't say I'm 'upset' or worried, just disappointed I didn't discover this cool (and indeed rather obvious) trick earlier ;)

7. posted by Andrew Clover at 12:32 on May 27, 2004

Indeed known about for some time. I mentioned this issue in a post to Bugtraq a few years ago:

http://www.doxdesk.com/personal/posts/bugtraq/20020214-css.html

There is no obvious good solution.

add a comment

Son of Suckerfish Dropdowns, a css dropdown menu with minimal use of js

2004.05.25 - add a comment

A checklist of i.am/bald numbers I really should update since they don't work or no longer work in Mozilla Firebird (my default browser for over a year now):

10, 14, 20, 23, 25, 26, 28, 30, 31, 33, 34, 35, 36, 37, 39, 40, 42, 44, 45, 46, 49, 50, 51, 55, 56, 57, 62, 65, 66, 67, 69, 71, 72, 73, 74, 77, 79, 90, 92, 94, 95, 96, 97, 98, 99, 102, 108, 109, ~~112~~, ~~113~~.

2004.01.13 - 1 comment by adam

1. posted by adam at 09:25 on January 14, 2004

You got heaps of work to do, mate.

add a comment

integrating javascript into stylesheets

Ben Nolan's non-link element hovering trick for Internet Explorer (that normally only allows :hover styles on links) is pretty handy, but what really impressed me about it is his way of integrating arbitrary Javascript functions into the stylesheet itself:

body {
  background: url("
    javascript:
      document.body.onload = function(){
        ...custom js here...
      }
  ");
}

By specifying a rule like this in the browser's user stylesheet, it might even be possible to run a custom set of Javascript commands on opening of any visited website. (Although my brief attempt at making this work proved unsuccessful.) [via webgraphics]

2004.01.05 - 6 comments by Ruben, Richard Soderberg, Richard Soderberg, bob, A to Z of World and Derek

1. posted by Ruben at 13:26 on January 07, 2004

It is really interesting indead. I already read the discussion thread in the forum of Tweakers.net, see:

http://gathering.tweakers.net/forum/list_messages/831654/last

The interesting part is that it is somehow specified in the W3 specs of CSS2, see:
http://www.w3.org/TR/REC-CSS2/generate.html#content
http://www.w3.org/TR/REC-CSS2/media.html

2. posted by Richard Soderberg at 01:01 on January 13, 2004

The spec also specifies that "Generated content does not alter the document tree. In particular, it is not fed back to the document language processor (e.g., for reparsing)".

It seems IE is ignoring this directive, which I think is right.

3. posted by Richard Soderberg at 01:13 on January 13, 2004

IE is right, that is. Not the directive. I think the directive is shor-sighted and limiting -- but in the face of embedding active content in CSS, well, maybe I can see their point of view.

4. posted by bob at 17:51 on May 27, 2006

cool

5. posted by A to Z of World at 10:32 on January 15, 2007

I did try it and indeed is handy. But as expected I'm not finding a situation to put it in real time usage as I rarely need something which works only with IE :)

6. posted by hotmail.com,ddrmax4ever,Derek at 17:48 on January 18, 2008

i cant seem to make it work for the way i thought of. I was trying to embed onmouseover and onmouseout functions to work. Anyone is willing to give me insight?Just send me an email, thank you

add a comment

The Javascript Raytracer has been expanded quite a bit since we last saw it... now you can even use it to build your own custom scenes (see the extensive Help-section).

2003.10.26 - 1 comment by Kid A

1. posted by Kid A at 19:44 on December 27, 2003

Hello , Are you there ?

add a comment

svendtofte.com - max-width in Internet Explorer - using the IE expression() syntax to simulate the css max-width property, which works in Mozilla/Opera but not in IE.

2003.09.06 - 1 comment by Tom Lee

1. posted by Tom Lee at 21:56 on March 16, 2006

I suggest an improvement:

http://tom-lee.blogspot.com/2006/03/how-many-pixels-in-em.html

add a comment

DHTML Lemmings - Whaaa... Amazing entry for the GoT DHTML Contest. [via 2lmc spool]

2003.08.15 - 17 comments by P01, crisp, milov and andy

1. posted by P01 at 01:24 on August 16, 2003

Really cool!
I've always wanted to port Lemmings but never found the time and energy.

It even features some keyboard shortcuts.
I'm curious to see how he managed the collision detection.

2. posted by crisp at 02:50 on August 16, 2003

Basically there is no need for collosion detection; the game plays in a grid, and the lemmings just follow it. Blockers have their own code in the grid itself (this is still buggy).
It's nice to see that people like it!

3. posted by P01 at 05:12 on August 16, 2003

crisp: That's some quick feedback. You must be quite attentive to your logs these days ;)

My curiosity had already guided me to the data structure of the levels :p clever encoding BTW.

I wonder if a particular reason urged you to pre-zoom the images by 2. Coz there's ~540 Kb of pictures which could be shrinked to ~270 Kb.

4. posted by crisp at 14:30 on August 16, 2003

It's been a bomb since the link got out, and I didn't do it. My homepage generated 3GB datatraffic just yesterday (against a normal 30/40MB daily) so I started looking.

As for the images: I am using the levels as a background image and CSS doesn't let me resize backgrounds.
I might be able to put those in a layer as an image, that would indeed save a bunch. Thanks for the tip!

5. posted by P01 at 02:41 on August 17, 2003

3 Gb O__O

Why not simply double the size of the images by changing there width and height attributes ? If you don't want to store the value of those attributes for each image, you can retrieve them once an image is loaded and then double them. It works from NN4,IE+ to any recent browser.

BTW, if your server is not yet crawled, I think your games would find a place of choice on http://www.javascript-games.org/

6. posted by crisp at 03:20 on August 17, 2003

I already updated the current version reducing the image sizes by more than 50% and added some music and sound effects as I went along :)

My server as a matter of fact was crawled - 7GB in just 2 days which is over my limit, but my friends at tweakers.net where happy to host it for me: http://crew.tweakers.net/crisp/lemmings/

I'll have a look at that link of yours! :)

7. posted by milov at 16:40 on August 17, 2003

I changed the link to point to the new location. Look at all the people linking/talking about your lemmings:
http://www.google.com/search?q=dhtml+lemmings

8. posted by crisp at 03:57 on August 18, 2003

It's truly amazing what is happening here; I've got a couple of hundred sites linking to it now and I get a lot of mail these days; the old games still rule... ;)

9. posted by andy at 18:17 on August 18, 2003

Where can I get a copy of the code?

10. posted by crisp at 00:25 on August 19, 2003

http://crew.tweakers.net/crisp/lemmings/lemmings.zip

knock yourself out! ;)

11. posted by P01 at 15:51 on August 19, 2003

The main request expressed by the audience is that it needs more levels, and a wider browser support ( i.e. Mozilla, Konqueror )

12. posted by milov at 15:56 on August 19, 2003

Mozilla support is already there, though? In fact, I haven't viewed it in anything *but* Mozilla.

13. posted by crisp at 17:12 on August 19, 2003

I'm currently working on 6 new levels which are also a lot harder than the current ones. It takes time though to rework the graphics and setup the levelcode; around 3 hours per level.
I've tested this thing in Mozilla1.3+, Opera7, IE5.5 and IE6 so browsersupport should be ok. All other browsers that don't work for this probably lack some support or are just buggy.
Music support is another thing; IE for windows is no problem, but getting it to work in any other browser is a real pain (plug-in sniffing and such).
And then offcourse there's still some bugs to fix; especially in the more complex levels imperfections start to show.

Remember that this is just a work in progress; the entire publicity it got was totally unintentional and way too early.

14. posted by P01 at 21:24 on August 19, 2003

Apparently it doesn't work on Mozilla/Linux nor on Konqueror. But I haven't test those platform myself.

For the music support I suggest you to in touch with Scott SCHILLER ( http://www.schillmania.com ) would did a really good conversion with his DHTML ARKANOID. AFAIK he uses FLASH 5.0 to handle the sound.

Regarding the creation of the levels, I'm sure you could make an API ( even in PHP with GD ) that reads an in image of the level with a color by type of material ( void, blocker, soft, lava, water ... ) and generates the strings you use in Javascript. Don't bother to contact me if I can be of any help and save you some hours on that topic.

Don't worry, I know this is a work in progress. A good one indeed.

15. posted by crisp at 21:46 on August 19, 2003

I have reports from people running it without problems in linux with a recent mozilla version.
Konqueror as well as Apple's Safari which is based upon Konqueror's rendering engine (KHTML) is apparently lacking some CSS2 support and maybe some javascript-HTML bindings I'm using. I neither have a linux nor a Macintosh platform available to test what exactely it is though, so I don't know if I can work around it.

I'm still looking for better ways to support sound in alternative browsers, but flash is out of the question because it is not in the spirit of this project ;)

I already do have a script that generates the level code for me (actually it is PHP with GD ;) ) but the screenshots still need a lot of work, and I have to fit in the animations pixel-precise, creating smaller images to block off parts of the animation that should not be visible and putting these images on top of it.

Thanks for thinking with me, I appreciate it! :)

16. posted by crisp at 10:45 on August 29, 2003

Down thanks to the BREIN foundation... :(

17. posted by P01 at 13:27 on August 29, 2003

�__�

I would understand if they complain about the sprites or the sound track but the code ... ? I guess those companies have a whole department dedicated to the protection of their rights and registered trademarks but they didn't managed to prove hey actually owns the Lemmings(TM)

You've had a really pragmmatic attitude. Bravo.

Now, I can't wait to play Brainless!

add a comment

Digital Web Magazine - Keep Javascript Simple - Peter-Paul Koch argues against external Javascript libraries, which often needlessly replace already quite compact-and-compatible DOM statements.

I could've probably moved a lot of iambald-code into a single DHTML library, but never really felt the need--more so after I gave up trying to support Netscape 4. Plus, I like the fact that visitors can simply View Source a page and see the whole code without having to go searching through separate .js files. [via paranoidfish.org]

2003.08.10 - add a comment

ugly :(

document.myForm.myInput.value

document.someImage.src

pretty :)

document.forms['myForm'].elements['myInput'].value

document.images['someImage'].src

2002.11.14 - 5 comments by void, Eric, Mario, Jan! and Liorean

1. posted by avoid.org,void,void at 21:06 on November 14, 2002

You are so right! It's like comparing XHTML to HTML. Maybe it's time for XJavascript?

2. posted by Eric at 21:06 on November 14, 2002

Wrong
Less code = pretty

3. posted by Mario at 03:29 on November 15, 2002

If it works, that's ok.
The goals sometimes justify the ways.

4. posted by Jan! at 12:10 on November 17, 2002

>Wrong
>Less code = pretty
Less code == more prone to errors

<form name="search">
<h2><img name="search" src="search.gif" alt="Search!"></h2>
<p id="search">This is a search form</p>
</form>

'document.search', say you?

5. posted by Liorean at 14:07 on November 20, 2002

The document.<formName>.<elementName> syntax instead of document.forms[<formName>].element[<elementName>] was one of the worst mistakes made at Netscape in creting the language - and Microsoft didn't make it especially much better.

How should you handle a form named "forms" with a child element named "forms", for instance? document.forms["forms"].elements["forms"] is the full format - but does document.forms["forms"] not reference by short form the element at the same time it by full form referece the form? Or how about an element with the id "all" in IE?

add a comment

gamebutton arcade - tiny playable Javascript games contained within html form buttons! [via Boing Boing]

2002.11.01 - add a comment

dhtml asciifire (IE4+) [by mados] - wow, check out the seemingly simple sourcecode. I like his trick for generating a custom array of characters:

char=' .:*sS#$'.split('');
instead of
char=new Array(' ','.',':','*','s','S','#','$');

2002.09.26 - 10 comments by Jake, Adjam, milov and Low

1. posted by Jake at 15:55 on September 26, 2002

Well... Huh.
That *is* clever. I love split().

2. posted by Adjam at 15:00 on September 27, 2002

Agh! i just found out lows blog is written entirely in a language that i dont understand! doh!

3. posted by milov at 15:08 on September 27, 2002

tell me about it... ;)

4. posted by Low at 15:19 on September 27, 2002

Who? What? When? Where? Why? How?

5. posted by milov at 15:38 on September 27, 2002

Zijn we nu helemaal gek geworden?

6. posted by Low at 15:55 on September 27, 2002

Ik niet hoor. De rest wel.
Bij de weg, wordt het niet een beetje uit-onderwerp hier?

7. posted by milov at 23:09 on September 27, 2002

Eens kijken of Adjam nog eens reageert, als ik een nederlands berichtje plaats met zijn naam er in...

8. posted by Adjam at 11:07 on September 30, 2002

This is the translation i got (as deutch is so unpopular i had to translate it 1 word at a time :/)

once consider of ADJAM another agree "reageert" acknoledge I a holland "berichtje" above-all about act name appear OK

9. posted by Adjam at 11:07 on September 30, 2002

I have too much free time

10. posted by milov at 11:22 on September 30, 2002

Heheh... What I said was: "Let's see if Adjam comments again, if I post a dutch message with his name in it..."

You could have also tried http://www.tranexp.com:2000/InterTran
(Dutch -> English):
"Sometimes watch whether Adjam encore test tube , when I one Dutch tidings yard with one's reputation yonder within."

add a comment

I just added a little extra javascript for Internet Explorer users, to apply some handy filters to any photo featured on this page:

- Shift-click a photo: Rotate 90°, 180°, 270°;
- Ctrl-click a photo: Desaturate (remove colours);
- Alt-click a photo: Invert colours.

Try it with some of the photos below! You can even combine filters. All this by setting one global document.onclick event (no need to add specific tags to each <img>-tag). View Source to see how it's done.

2002.09.10 - 12 comments by Low, jpk, Eduardo, Fidel, [unknown], walter, Mario, mados, milov, 23JUL, Ruben and David

1. posted by Low at 16:30 on September 10, 2002

*click* *click*
Fun for hours!! :-)

2. posted by jpk at 18:33 on September 10, 2002

very nice!

3. posted by Eduardo at 19:34 on September 10, 2002

Good resources man.. Folks here in the office was jon with your pic (The Hard Disk), I make a quizz with it by eMail.. (What is on the pic?)Cool!

4. posted by Fidel at 19:44 on September 10, 2002

Milo that is l33t! you never cease to amaze me with your skillz.

5. posted by [unknown] at 23:05 on September 10, 2002

davvero divertente, Milo!

6. posted by walter at 23:29 on September 10, 2002

This is just too much.

7. posted by Mario at 05:51 on September 11, 2002

A-M-A-Z-I-N-G

8. posted by mados at 19:51 on September 11, 2002

Impressive. Don't forget to add "return false" for clickable images, e.g. http://milov.nl/entry/1450

9. posted by milov at 20:12 on September 11, 2002

Good point, mados...
This does bring up the problem of what to do when someone shift-clicks an imagelink to open a new window; do I apply the filter or do I let them open it? should I use some other key combination?

10. posted by 23JUL at 10:52 on September 12, 2002

element :- onmouseover
filter :- accesskey
hehe :- fun

11. posted by Ruben at 20:32 on September 12, 2002

Ach, je wist al lang dat je briljant was, dus dit commentaar van mij is compleet overbodig :-)

12. posted by David at 11:30 on September 21, 2002

cool

add a comment

How to extend the convenience of being able to shift-click links and open them in a new window to forms:

<form onsubmit="this.target=event.shiftKey?'_blank':'_self'">

Try it with the search-form (bottom of menu column): holding shift while submitting will open the search results in a new window.

2002.02.06 - add a comment

Optimizing Javascript for speed - detailing some clever and interestingly named techniques: Loop Unrolling, Reverse Loop Counting, Loop Flipping and something called Duff's Device. [via scottandrew.com]

2002.02.04 - add a comment

Wow, creating something interesting in under 256 bytes (for the 256b.htm compo) isn't easy... Here's one of the things I had to scrap: a random inkblot generator, way too big at 384 bytes... ;)

This one uses the XBM img src technique to generate a 2-bit image at run-time (example 1, 2). Could try rendering it with divs instead, but that'll probably cause quite the browser-freeze.

2002.02.02 - 3 comments by huphtur, mrmessiah and Tracy Hall

1. posted by huphtur at 18:35 on February 02, 2002

maybe this help?
http://developer.irt.org/script/955.htm

2. posted by iname.com,mrmessiah,mrmessiah at 02:42 on February 03, 2002

Hehe :) Well I only got mine to work by
absolutely *butchering* the correct
syntax... lots of illegal script and
html tags that IE fills in, but it
fails on just about every other browser
out there, not how I normally like to
code :)

3. posted by Tracy Hall at 00:43 on February 03, 2006

That's a nice little script you've got there. I've had an inkblot generator of my own on my page for years, but it only produces PostScript files. Coming across this page has inspired me to add a couple of .xbm-producing pages, using both my original inkblot algorithm and a modification of your idea of using a random walk.

http://www.math.berkeley.edu/~hthall/Fractal_Inkblot.html
http://www.math.berkeley.edu/~hthall/Brownian_Inkblot.html

Thanks!

add a comment

Another new thing: comments are now loaded by Javascript and appear inline in the current page. So you don't have to leave the page to read the comments for a particular entry (IE-only, right now).
Reference: PPK's Import XML Document tutorial.

2002.01.25 - 12 comments by milov, pup, Adjam, karma, huphtur, 23JUL and caster

1. posted by milov at 20:36 on January 25, 2002

See, here's one! (I hope this works...)

2. posted by milov at 20:37 on January 25, 2002

What I'm still working on is the ability to *post* a new comment without forcing a reload.

3. posted by pup at 20:38 on January 25, 2002

noice.

4. posted by Mypalce.com,Adam,Adjam at 22:19 on January 25, 2002

nice

5. posted by karma at 23:05 on January 25, 2002

sweeeet

6. posted by huphtur at 23:38 on January 25, 2002

milov: when ya gonna make yur cms available for download?

7. posted by milov at 00:54 on January 26, 2002

what cms? you mean the textarea's i've got hidden all over the place? :)

8. posted by huphtur at 01:26 on January 26, 2002

exactly! how much if i wanted to buy it? hehe

9. posted by 23JUL at 04:43 on January 26, 2002

>What I'm still working on is the ability to *post* a new comment without forcing a reload

- I think * posting * always requires some kind of reload, but what do you exactly mean by 'reload', the fact a script is redirecting??

- Another way of 'posting' without a reload is maybe to store the comment as a (-if javascript-) cookie which is being read&deleted as you run the script mentioned here above... ;-)

- Btw: since comments are not in a fixed font, can you use the same font-family in the style of the textarea I am now typing in.

- Later..

10. posted by milov at 09:38 on January 26, 2002

By 'reload' I mean the fact that you see the whole page being reloaded or jumping to another url. It should be possible to post a comment by submitting a form in a hidden iframe, or changing an image src, or indeed storing it as a temporary cookie (this sounds the most promising, actually).

11. posted by karma at 10:19 on January 26, 2002

you might want to get some inspiration from http://www.vcdn.org/Public/XMLRPC/ (a Javascript XML-RPC client)?. It sets up a http request itsself from javascript and then interpretes the answer. uses some activeX objects to do this though

12. posted by caster at 06:00 on January 27, 2002

bloody>nice>& >clean !

add a comment

Impressive self-sorting DHTML table by svendtofte.

2001.12.29 - 1 comment by huphtur

1. posted by huphtur at 02:03 on December 30, 2001

warez!!!

add a comment

Include the following at the top of your Javascript:

  cookies = [];
  for (c in C=document.cookie.split('; '))
  {cookies[(cs=C[c].split('='))[0]]=unescape(cs[1]);}

Now you can access your cookies like this:

  alert(cookies['myCookie']);

2001.12.20 - 1 comment by Bob

1. posted by mijnkopthee.nl,bob,Bob at 09:38 on December 21, 2001

Smooth!

add a comment

Please don't spawn popup-windows like this:
<a href="javascript:window.open('foo.html');">

or this:
<a href="#" onclick="window.open('foo.html');">

rather, use:
<a href="foo.html" onclick="window.open(this.href);return false;">

benefits:
- statusbar still indicates where you're going
- non-js users (and search-engines) still end up at the correct page
- current page doesn't jump to top (faux-anchor '#' evil)
- shift- and right-click options still open the correct page

Update:
Apparently using return false; in the href can mess up some browser's popup-blocking, so watch out if you care about that (haven't noticed it myself, but then again, I almost never use popups). [via]

2001.08.13 - 47 comments by Marza, David, pup, Jim, Joe Clark, Norse, charles, matt, zachariah, Tim Scarfe, kesor, sh0rtie, MidgetSniper, Akello, gfdh, FitzChivalry, hadlock, Gobalopper, Ich, nyexotic, earl-ku, Jay, wooki, fargo, milov, Symen, sandra, Joy, seema, Milo, eapen, mayglee, riccardo, eSKape, Alex, RskpsVVMSlXGDP, someOne and Imu

1. posted by Marza at 00:56 on August 14, 2001

Goede tip, meteen gewijzigd. Ik stoorde me al aan het niet met de rechtermuisknop kunnen klikken.

2. posted by David at 11:16 on August 14, 2001

Dit zocht ik. Bedankt!

3. posted by pup at 17:18 on August 14, 2001

excellent tip. i was looking for a nice backwards compatible way of doing this.

4. posted by Jim at 17:55 on December 28, 2001

great tip, i too was looking for something that would work with js turned off.

5. posted by Joe Clark at 21:40 on December 30, 2001

Yeah, except you have to duplicate mouse functions with keyboard functions for accessibility. It's onkeyDown, I think, but I'm not an expert at this. Keep all the onClick stuff-- just add the keyboard support.

6. posted by Norse at 21:57 on January 02, 2002

Het niet ik been zocht dit ik ik de met wheerholdenit.

7. posted by charles at 22:39 on January 04, 2002

How do I also add the no-address/ noscroll and other elements to that tag?

8. posted by matt at 18:01 on February 17, 2002

If you're just opening a new window with out specifying any properties (window size etc.) then you should really be using TARGET="_blank" instead of an onClick. That way even people with javascript turned of will get a new window.

9. posted by zachariah at 06:42 on March 21, 2002

matt - target="_blank" is not vaild xhtml which is the current verion of html

10. posted by Tim Scarfe at 21:39 on June 16, 2002

Great Tip.

I don't like inline behaviour in the HTML element of my documents though, How about making it have a class of "pop", and then having a seperate script run through the document at the end picking up all the elements and assigning the events?

De-gradable coding, isn't it so cool :)

11. posted by kesor at 23:24 on August 31, 2002

the return false; thingy doesnt quite work in opera (tested with 6.04).

I tried to expand text, like this :

<p>this is some text <a href="" onclick="moretext.style.display='inline'; return false;">more text</a></p>
<p id="moretext">this is some more text</p>

It works great in explorer, but doesnt work in opera and mozilla.

I guess its the return false that is not working.