Accessability with dynamic font size and page colouring

[carlosbutler]

I am trying to make a website more accessable to as many users, so for people with bad eye, for example. I am trying to include in my php scripts spmething that will remeber certain properties like font size. Although when I load a new page it reverts back to the default size. I tried doing it with session variables, but can't quite get it to work. Psudeo code:

isset session variable font size
session variable font size = number

css style font = number

that's it. Obiously when you load a new page, the session variable should still be there, but it isn't. Don't really understand why. Any better ideas?

 

[angelwatt]

Seeing the actual code may help for any typos and the like. I've used cookies in the past for this type of setup.

 

[Cabbit]

I am trying to make a website more accessable to as many users, so for people with bad eye, for example. I am trying to include in my php scripts spmething that will remeber certain properties like font size. Although when I load a new page it reverts back to the default size. I tried doing it with session variables, but can't quite get it to work. Psudeo code:

isset session variable font size
session variable font size = number

css style font = number

that's it. Obiously when you load a new page, the session variable should still be there, but it isn't. Don't really understand why. Any better ideas?

Do you have Session Start at the top of every php file?

 

[carlosbutler]

Well after trying again I managed to get it done:

session_start();
if(!isset($_GET['fontGET']) && !isset($_SESSION['font'])){
	$_SESSION['font'] = 14;
}
if(isset($_GET['fontGET'])){
	$_SESSION['font'] = $_GET['fontGET'];
}
$fontSmaller = $_SESSION['font']-2;
$fontBigger = $_SESSION['font']+2;

...

#mainBody {
	font-size:<?php echo $_SESSION['font']; ?>px;
}

T- and T+ are links ?fontGET=xx. Although if you have any better ways let me know.

 

[angelwatt]

Just want to point out a big security vulnerability in your code. If someone were to send the value,

</style><body><iframe src="evil.site/evil.script"></iframe>

in the fontGET argument (which is very easy to do) someone could essentially take over the site and deliver viruses/spyware/etc to your visitors, compromise user data, and other nasty things.

Doing a basic check that the value is an integer (is_int()) will protect you from this attack.

 

[carlosbutler]

Okay, thanks. Although would that not only be on their machine? I thought session variables were kept locally?

Even if someone typed in www.example.com/?fontGET=<body><iframe src="evil.site/evil.script"></iframe>? or am I overseeing something?

Also, would that even be valid HTML:

#mainBody {
	font-size:<iframe src="evil.site/evil.script"></iframe>px;
}

 

[7on]

Okay, thanks. Although would that not only be on their machine? I thought session variables were kept locally?

Even if someone typed in www.example.com/?fontGET=<body><iframe src="evil.site/evil.script"></iframe>? or am I overseeing something?

Also, would that even be valid HTML:

#mainBody {
	font-size:<iframe src="evil.site/evil.script"></iframe>px;
}

No but he wrote a </style> in there so it's be

#mainBody {
	font-size:
</style>
<body>
<iframe src="evil.site/evil.script"></iframe>px;
}

[/QUOTE]

 

[carlosbutler]

No but he wrote a </style> in there so it's be

#mainBody {
	font-size:
</style>
<body>
<iframe src="evil.site/evil.script"></iframe>px;
}

[/QUOTE]

Ah yes, I never realised. Although I meant having the two open body tags.

 

[angelwatt]

Okay, thanks. Although would that not only be on their machine? I thought session variables were kept locally?

For this limited example, yes, it would only effect the person entering that in. The example could be taken further though and cause a more permanent change to your site by writing files to your web host or over writing existing files on the web host. Or it could be taken advantage of by using CSRF (other reading for CSRF) or XSS techniques. I didn't want to give too malicious of an example, but I've read a few PHP security books that do include some nasty code that could compromise your current code. Never trust data coming from users, especially since there's such an easy fix.

 

[carlosbutler]

Crikey never even thought of doing something like that. Surely that then means you could include a php scripts from some other server?

Out of interest, if you did want to pass a string of letters, such as this forum does, how would you go about that?

 

[splitpea]

They can only change your files if you are actually executing based on user-input code, or taking advantage of vulnerabilities in the language itself.

For strings, depending on the use, either check them against a list of known-good strings (a MUST if you're, for instance, passing the name of an include file -- one of those cases in which they can rewrite your files if the server isn't configured perfectly... and which shouldn't be done anyway: there are better ways to accomplish that) or if you're outputting the string to the browser, run it through an HTML-escaping routine (or the equivalent if you're using it to write Javascript, CSS, etc).

 

[angelwatt]

For a forum-like environment, HTML that's entered in is displayed as typed (in HTML-entity form), so it doesn't show up as actual HTML tags in the post. Some web apps will only allow specific HTML tags to be used by visitors using a function like strip_tags().

Here is a PHP security guide primer that has some decent information about understanding the security issue. It only talks about things at a basic level, but makes for a good starting point and covers the basics every PHP developer should know.

 

[Cabbit]

Oh just a little hint to help your accessibility drive.
Put

<a class="contentSkip" href="#content">Skip to content</a>

Right at the top of your page before any content and navigation, the class is so you can style it out of the page completely by making it invisible or something. I use opacity 0.1;.

And at your content put the anchor for it. Something i have noticed that really helps if you put before this skip, "Content Updated: 1 hours ago" or something to that effect it saves a lot of time if i am looking for new posts to read.