First time I noticed this: The div with the logo and the language selection div below have a 10px solid left border in blue (matching the background color) and a 1px white bottom border, which leads to a nice gradient in Firefox 3:
Nice, though I wonder if this behaviour can be influenced. In IE, Firefox 2, Opera and Safari it looks like this:
(Before you mention it, I know the language names lack padding in the lower screenshot – my mistake, but unrelated to the issue at hand)
While I had read reports about successful mass SQL attacks on hundreds of thousands – by some estimates even millions – of websites months ago, I didn’t really care much, assuming that this issue would only concern outdated, irrelevant and poorly coded websites.
I realized I was wrong (partially wrong) about a week ago when I was looking for recipes for my newest toy, a blender from a brand every YouTube user knows. Unfortunately, the manufacturer’s website contained not only recipes, but also references to a malicious external script:
For a moment, I thought about making a stupid video showing some JavaScript that does not blend but then decided on contacting the company first. Indeed, only one day later the site had been cleaned.
Normally, I wouldn’t even mention this on my blog, since I believe “public shaming” is only justified if a company or webmaster does not react withing a reasonable time or if the case at hand is particularly outrageous (before you disagree, please consider that my entire blog is about not being perfect and still having a lot to learn). However, when I visited the website again on Sunday (in order to show the company’s products to a friend and restaurant owner), NoScript showed the site had been compromised once more and was trying to distribute malware again (this time, the evil domain was mainadt.com instead of suppadw.com). When I tried to send another message over the contact form this morning, Firefox 3 wouldn’t even let me visit the page without a very clear warning:
The reason Firefox is showing this warning is that Google now “officially” considers this site (possibly) harmful:
Aside from the obvious “make sure your code is not vulnerable to SQL injections (and don’t forGET it’s not only about POST parameters*), what can be learned here?
If your site has been compromised, you should react quickly and make sure it can’t happen again. Otherwise Google will sooner or later list your website as “suspicious” and you’ll certainly lose visitors and business. A compromised website also reflects poorly on your company and your brand. I would be particularly concerned about the negative effects in the case of companies relying heavily on the internet for business (including internet marketing). Furthermore, one has to wonder if you might be held liable for exposing your visitors to malware.
Don’t rely on expensive third party scanning tools. Did you notice the “Hacker safe” logo in the first screen shot above where my virus scanner was already showing a warning? Instead, I suggest hiring a capable programmer (you’ll need one to fix the vulnerabilities anyway) and have him customize a monitoring solution which issues a warning anytime your website or database has been “illegally” modified (I might pick this idea up in a later post). This would make sure you’re the first to realize when something is wrong, not your visitors or Google.
If I were a capable programmer familiar with ASP and MSSQL and had some free time, I’d think about spending a few hours searching for affected websites, somehow ranking them (e.g. “best known”, “in my area”, etc.) and then contacting them with an offer to remove the malicious code and the vulnerabilities (or maybe redesign the entire website). Think about it, there might be millions of affected websites out there, this seriously screams “business opportunity” (BTW, I’m not a… er, not familiar with ASP and MSSQL and I’m busy, so please don’t contact me). Of course, sooner or later someone’s bound to misunderstand your offer (“this guy hacked our website and now he’s asking for money”). 😉
As a user, don’t follow my bad example in the first screenshot. Instead, disable JavaScript by default and enable it only for sites you can trust. This can be done best by using the excellent NoScript plugin for Firefox. Don’t think that Firefox + Google alone can always protect you, you won’t get the big red warning above unless the site in question has been compromised for some time.
*technical details can be found in Michael Zino’s article ASCII Encoded/Binary String Automated SQL Injection Attack and by following some of the links I posted before.
Does Expression Web (version 1 or 2) add <span lang=”something”> tags (“lang spans”) to everything you type in design view? It nearly drove me crazy with this behavior and the many language-related options in different menus, but after I figured out what was going on I actually came to appreciate this feature (when working on multilingual sites).
Try this: Select some text and go to Tools > Set Language and choose – let’s say – Alsatian. You should see xWeb adding <span lang=”gsw-fr”> to your code. This will always happen unless your entire page is marked to be in Alsatian with lang=”gsw-fr” xml:lang=”gsw-fr” in the html element or using <meta http-equiv=”Content-Language” content=”gsw-fr” /> .
So, anytime the language of some text on the page does not match the language for the entire page, xWeb adds the lang spans.
BTW, you can set the meta tag by going to File > Properties > Language > Mark current document as though it seems the language information specified in the html tag takes precedence over the meta tag when xWeb decides on adding the lang spans (thanks to Cheryl D Wise for the link to the W3C FAQ and to MrMox for pointing out that the meta tag alone doesn’t always solve lang span issue).
It appears that whenever you type something, xWeb checks the input language your system is using and sets the language of your text accordingly. This means you get the same result as if you were to select Set Language from the Tools menu, triggering the same effect as described above: If the input language doesn’t match the document’s language, xWeb adds lang spans.
Unfortunately, there doesn’t seem to be a simple “never add lang spans” option. You can find some possible answers on the web (e.g. here and here), but they didn’t work on all of our systems.
I don’t recommend this as you might make mistakes with html entities (like typing & instead of &). Instead, go to your Windows Control Panel > Regional and Language Options > Languages > Details and make sure that all input languages which are specified on your page are available (otherwise, add them).
Example: In my company, we’re working with Swiss-German keyboards on websites which are mostly in English (en-us or en-gb), German (de-de) or French (fr-fr):
Now when I edit a page which is in German, I just have to make sure that the correct input language is selected:
Voilà, no more lang spans! Furthermore, if I wanted to add some text in English, I could simply switch the input language and xWeb adds the lang span, which means I can easily check the spelling on a page with multiple languages (and voice browsers should pronounce the text correctly, too).
No, it gets even better! If you’re editing an existing page where the language has been set, you can go to Tools > Page Editor Options > General and select Automatically switch keyboard to match language of surrounding text. Expression Web should now select the right input language automatically for you (hey, this saves you two mouse clicks!).
All right, I got this working on three very different systems, using xWeb1 and 2 as well as Win XP and Vista x64. It’s no longer an issue casing trouble for us, we did, however notice behavior which can only be described as weird (or buggy) from time to time. For instance, it is perfectly possible to have a page were no language meta tag is present (and no language is assigned in the html tag), but a language is nevertheless set under File > Properties > Language.
You could also try experimenting with the language related options below which I haven’t mentioned so far (just don’t ask me what they’re supposed to do) or ask for help on the Expression Web forum:
Tools > Page Editor Options > General > Default Page Language
Site > Site Settings > Language
Click to resize:
A fix? Uhm… maybe you can find a good self-help book on SQL injections:
You should also consider hosting scripts locally:
SCNR.
*no, it wasn’t me. 😉
For serious information:
After installing Expression Web (version 1) and the German language pack on my new PC running the German version of Windows Vista (Home Premium x64), my previously English Expression Web suddenly displayed the user interface (UI) in – you guessed it – German. I’m not sure if the language pack or the operating system is to blame.
Unfortunately it was not possible to fix this using the “Microsoft Office Language Settings 2007” program which I assume came with the language pack. All it did was changing the help files back to English, which was most unhelpful.
Here’s how I fixed it (after reading this knowledge base article):
1. I located the following registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Expression\Web Designer\12.0.
2. I created a new string value called FollowSystemUI and set it to Off (this step is required).
3. I set the UILanguage DWORD value to 1033 (decimal!) which stands for en-US (some other decimal values are de-DE => 1031, fr-FR => 1036, ja-JP => 1041, zh-TW => 1028, you can find some more here).
There’s also a HelpLanguage value but as I mentioned my help files were already being diplayed in English again, so I left it alone.
Please note: It’s entirely possible that there’s an easier way to change the UI language (which I don’t know about). This post only describes what worked for me.