Monday, February 26, 2007

How to parse HTML strings into DOM nodes without innerHTML

Here's a way of parsing a string of HTML into a series of DOM nodes in Firefox and other Mozilla-similar ("mozimilar") browsers:

var range = document.createRange();
range.selectNode(document.body);
var parsedHTML = range.createContextualFragment(SomeStringOfHTML);

document.body.appendChild(parsedHTML)

The call to selectNode() is required as you have to point the empty range at something before you can use it; Firefox throws an exception without it. You can use other range positioning methods as well.

Also of note: createContextualFragment() is not part of any DOM specification AFAICT, so you should feel appropriately shameful about using it as you would innerHTML.

Friday, February 09, 2007

SCRIPT and innerHTML: a losing combination

One day you may be tempted to skip all the cumbersome creation of SCRIPT elements via DOM methods and just cram stuff into the page with innerHTML. Woe unto you. This does not work:

var script = '<script type="text/javascript">alert("boo");</script>';
document.body.innerHTML = script;

In fact, this will produce an unterminated string error in IE6 and Firefox, because you still need to split up that closing </script> like in ye olde days:

var script = '<script type="text/javascript">alert("boo");</scr' + 'ipt>';
document.body.innerHTML = script;

Hooray, no error!

Except it still won't execute the script.

Thursday, February 08, 2007

Fix your login system, you freakin' idiots

Don't say "username" when you want "email address"

This is simple: if your app uses email addresses as usernames (ala OpenID or whatever), don't put "enter username" on the login page. That way I don't have to put a fist through the screen after "scottandrew" is rejected 99 times.

Wrong username or password? Which is it?

Did I type the wrong username? Did I misspell the password? Did I screw up both? Tell me. Don't get lazy and display "Incorrect username or password." What, do I get a prize if I guess correctly? Freakin' lazy, that's what you are.

Edit: I'm totally off-base on this one. A reader points out that specifying the incorrect field give hackers a vital clue. This is why I'm not in security; I'm all about making the user experience smoother — for hackers.

Tell me if you're going to limit login attempts, and don't hide password retrieval.

Some apps will throttle the number of login attempts to thwart malicious hackers. Generally I think this is dumb, but if you do this, be kind and let me know. Don't suddenly cut me off after three attempts.

And if you do cut me off, for the love of god, don't also lock me out of any password retrieval link. Move that link outside of whatever if-then you're using to display the login box. Please.

When possible, redirect me to where I was headed

I click "Edit Profile" in your app. My session has timed out, so you redirect me to a login to reauthenticate. Then you dump me on the "Welcome!" page. Wha?

Okay, so won't always have an HTTP_REFERRER to work with, but if I'm already working within your application and have to be redirected to a login, can't you save the original destination from the GET request or something?