Spotted in The Risks Digest (vol.20 issue 98, 31 July 2000) When what you see isn't what you get Lloyd Wood <[EMAIL PROTECTED]> Mon, 31 Jul 2000 18:36:48 +0100 (BST) One of our web users seems to have had a lot of trouble with broken links in his personal webpages on our Apache webserver over the last couple of years. Instead of / as a directory terminator, he'd have \. Or he'd have bizarre stuff like /\Directory\ instead of /Directory/ in his broken links. I'd put it all down to him being a Microsoft fanboy who didn't know what he was doing; after all, he was generating the HTML pages using Microsoft Word, and therefore deserved everything he got. (bugs in Frontpage such as leaving in local file:c:\\\ urls for images, so only the author gets to see incredibly fast-loading images when he checks his composed pages, are well-known.) However, I had occasion to use Microsoft's Internet Explorer 5.5 today. So, I went to view his pages to see the world through his eyes. And, through his eyes, everything worked just fine, as if there were no backslashes there at all. Every known-to-be-broken link did just the right thing. Which was odd, because I knew the links in the pages stored on our Apache server hadn't changed. So I viewed source in IE, and discovered... no backslashes. IE *stripped out or converted the backslashes* before rendering the source to screen - even before rendering the source to 'view source'. The user wouldn't know the backslashes were there, because IE was *deliberately hiding and converting them* for him, presumably in order to compensate for the html rendering deficiencies of other Microsoft products - and interoperability with non-Microsoft browsers be damned. The user thought he was doing a good job, based on checking using the tools in front of him. If you view source, you expect to see the actual source, and not a prefiltered version. This filtering is clearly a risk in that it allows behaviour that would previously have been clearly exposed as bugs in the composing products to stay, unnoticed and uncorrected, because it means you can't trust the tool you're using, and because it screws up interoperability testing. (Which, because IE comes from Microsoft, is hardly a surprise.) <[EMAIL PROTECTED]>PGP<http://www.ee.surrey.ac.uk/Personal/L.Wood/>