Skip navigation

Why I don't like target=_blank

I get asked quite a lot why my links don't open in new windows, and could I please add target="_blank" (or target="new" - which is incorrect) to them? The answer to that is no. I have never used target="_blank" on my site, except when I used popup windows (ewww, I know). And even then I wasn't happy about doing it. Especially now, when I validate to doctypes that don't support the target attribute.

Ok, I do have my Firefox settings set to ignore target="_blank", but why should I have to change my settings because of your site? I don't like being told how I'm going to go to a link. I want to choose for myself whether I am going to open a new window, a new tab, a new browser, or reuse the same page. I want links to follow what I've told my browser I want to happen. Usually, I reuse the same page. However, I never ever have more than one browser window open, and that is how I want it to stay, thank you very much. I can't stand cluttered desktops/taskbars where I don't know which window contains what. At least with tabs I can rename them and order them and whatever else (Firefox extensions FTW!1!).

This behaviour stems from the times of IE6 and other non-tabbed browsers, however is still being used today - people don't want visitors leaving their sites, so they force another browser window to open. On my old computer this was a nightmare - it couldn't cope with more than one instance of IE and opening another (by choice or otherwise) resulted in the whole thing crashing. Likewise, my current computer is getting slower and more dodgy every day, and opening an instance of Firefox/IE/anything takes it quite a while (yes, I have defragmented/taken off spyware/viruses/etc. It's just getting old). That's another reason I only have one FF window open, actually, heh. To those people (who don't want visitors leaving their sites) I say this: if your site is worth visiting, people will go back to it. You don't have to force them to stay on your site. In most cases, they will end up closing your site's window anyway.

So my point (I do have one, honest): please don't use target="_blank". It's not only inaccessible, but it's a nuisance to those of us such as myself (and it's not just me) who dislike our default settings being overridden. Let the user choose how to open links. Like I said, if your site is really worth staying on, people will stay on it. There is no need to force them to do so.

PHPAskIt Security Vulnerability

It has been brought to my attention that there is a serious security vulnerability within all versions of PHPAskIt, which states that the conversion scripts for Wak's Ask&Answer and the classic Ask&Answer can be hacked through the directory variables.

The security vulnerability is a hoax. The import files CANNOT be hacked through the $qadir and $dir variables even with register_globals on.

I find it such a shame that the person who discovered this has gone round telling everyone who will listen that my script's insecure (and every major security site there is) but 1) won't inform me (I found out through a Google search) and 2) makes things up. I've contacted them several times but each time the mail has bounced back. *Rolls eyes* How mature.

CodeGrrl scripts: security flaw

Regarding these scripts and ONLY THESE SCRIPTS:

FA-PHPHosting, PHPCalendar, PHPClique, PHPCurrently, PHPFanBase and PHPQuotes

There is a serious vulnerability that can and has been exploited by hackers if left unsecured. Read below for more details on what you can do.

This does NOT, repeat NOT affect my script, PHPAskIt. Please do not keep contacting me asking which file to replace - PHPAskIt, although a CodeGrrl script, is not based on PHPFanBase like the scripts mentioned above and is therefore not vulnerable to the attack.

Spread the word!

Edit: Ok, so all affected scripts have been removed from CG. As I said above, PHPAskIt is not affected by the recent hackings and security vulnerabilities and, just to make doubly sure, I've even updated it slightly. Once CG give me the go ahead, I'll put it up again.

If you're using ANY of the scripts mentioned at the top of this post, do this immediately:

  1. Open up protection.php and add this code to the very top (but underneath the opening <? ):

    if ('protection.php' == basename($_SERVER['SCRIPT_FILENAME']))
    die ('Please do not load this page directly. Thank you.');

  2. Find this line AND DELETE IT:

    $logout_page = "$siteurl";

  3. Find these lines:

    setcookie("logincookie[user]","",time() - 86400);

  4. Change them to look like this:

    setcookie("logincookie[user]","",time() - 86400);

The official fix didn't work for me, which is why I suggest you use this one - it stops hackers from getting to the protection.php file directly, and takes the ability to include any site as $siteurl away. Apply some sort of fix as soon as possible.


Newer Entries