PDA

View Full Version : Scouting websites



Dave
02-07-2003, 07:22 PM
Maybe there should be a controversial topics section for this.

For once not having a lot to do on the few websites I'm involved in I did a bit of surfing through some Scout Sites. To my horror I saw this on mattw's 20th Torbay site under FAQ's

Q - I have lost my password, what should I do?
A - Go to your room, sit down, and think about what you have done. Then, after realising the full extent of your ineptness, get yourself a bit of card (A4 or bigger, preferably brightly coloured. In extreme cases paper may have to do) and a big thick marker pen. With these two items, take the pen and write onto the card in as big a letters possible the words 'Dick of the Day' and then fetch a staple gun and affix it, using no fewer that four staples, to your left nipple.

and then

Q - What are the minimum system requirements for this site?
A - Not a lot really, basically you need an internet, a computer, and a browser with Javascript support and Flash installed to get anywhere, but apart from that nothing else is really needed. This should mean nobody has any problems, as it is assumed that if you dont have these then you dont deserve an internet. Also you may have problems if you try to play silly buggers by using Unix and Opera browsers or something, as I have not tried and have no desire to try the site on these sort of browsers.

Is this really what we want the general public to see on Scout sites? OK if it is a closed site for members of an Explorer or Network Unit.

I use Opera 7 and find it 100% better than IE6, not everyone has Flash installed particually if they are on a network. I choose most of the time to have Java Script turned off as a security measure as Java is one of the biggest security holes in windows.
Try a Linux system (i don't think you meant Unix) again a lot quicker and lighter than anything Bill Gates can produce.

Just my thought for the day

Dave

mattw
02-07-2003, 08:46 PM
cheers mate

thanks for visiting

i have a complaints form too :-D

luke
02-07-2003, 10:25 PM
I choose most of the time to have Java Script turned off as a security measure as Java is one of the biggest security holes in windows.


I'm not a computer programmer, but slightly disagree with the above.

Java is indeed a security threat in Windows, however I understand that Java is not the same as Java Script. This being the case JS shouldn't pose any security threats (anyone want to comment?).

It's also my understanding that JS is used in just about all websites including those that I maintain. By disabling JS, do you not get any problems when visiting websites?

regards, Luke

rosschapman
02-07-2003, 11:21 PM
Is this really what we want the general public to see on Scout sites?

What kind of person searches for a Scout site in the first place, maybe ..... a scouter? From what i see, 20th Torbay is a Scout/Explorer/Network site. The majority of people viewing this site will be Scouts/Explorers/Network, of which probably 80% will know Matt in some capacity, and 99% will have a sense of humour.

Matt-great one about the complaints form. It's nice to see someone in Scouting that is human.

marcus
03-07-2003, 11:57 AM
I agree, it depends on what sort of site you are after. My Group site for parents and covering beavers - scouts would not be a good place or an appropriate place for a page like that, but my Uni Scout and Guide Club would have no problems with it

Dave
03-07-2003, 07:19 PM
Is this really what we want the general public to see on Scout sites?

What kind of person searches for a Scout site in the first place, maybe ..... a scouter? From what i see, 20th Torbay is a Scout/Explorer/Network site. The majority of people viewing this site will be Scouts/Explorers/Network, of which probably 80% will know Matt in some capacity, and 99% will have a sense of humour.

Matt-great one about the complaints form. It's nice to see someone in Scouting that is human.

The person most likely to be looking for Scouting in Torbay is someone who might be interested in either sending a sibling to one of the Units or Joe Public looking to see what the local Scouting area is doing. The point that the majority will bee Scouts/Explorers/Network is pure speculation. And how do you know that the 80% probably know Matt? It's not called the world wide web for nothing.

As for Java Script Luke it is the script that enables all sorts of weird and wonderful things. Not only active menus, mouse overs and the like but it can also download on to your PC dial-up software and don't forget those annoying pop-up windows. Different worms are also hidden within Java Scripts.
"Cross-site scripting occurs when dynamically generated Web pages display input that is not properly validated. This allows an attacker to embed malicious JavaScript code into the generated page and execute the script on the machine of any user that views that site. Cross-site scripting has some far-reaching implications, and can impact any site that allows users to enter data. You see this on search engines, in error message screens, in forms and Web message boards, among other places. You can read more about this here at SPI Dynamics' site.

Here are the steps to see if your Web applications are vulnerable to this attack:

Step 1. Open any Web site in a browser, and look for places on the site that accept user input such as a search form or some kind of login page. Enter the word "test" in the search box and send this to the Web server.

Step 2. Look for the Web server to respond back with a page similar to something like "Your search for test' did not find any items" or "Invalid login test." If the word test' appears in the results page, you are in luck.

Step 3. To test for cross-site scripting, input the string "‹script›alert(hello')‹/script›" without the quotes in the same search or login box you used before and send this to your Web server.

Step 4. If the server responds back with a popup box that says "hello", then the Web site or Web application is vulnerable to cross-site scripting.

Step 5. If Step 4 fails and the Web site does not return this information, you still might be at risk. Click the View|Source' option in your browser so you can see the actual HTML code of the Web page. Now find the ‹script› string that you sent the server. If you see the entire "‹script›alert(hello')‹/script›" text in this source code, then the Web server is vulnerable to cross-site scripting. "

Taken from Internet Week.Com

I rest my case :-D on Java Script.

Remember that any one can see your site, not only the people you think will. There is no reason why you can't have a closed site for members and then you can do near enough what you want.

Dave

Bloory
03-07-2003, 07:41 PM
There is no reason why you can't have a closed site for members and then you can do near enough what you want.


I was going to stay out of this thread ;)

I think Mr Field has hit the nail on the head. Not too familiar with phorum, but certainly a members only forum might be the best way forward :)

mattw
03-07-2003, 07:46 PM
oh good, now we are on Dave has a go at Matts site day 2. :-D

looks like i shouldnt use javascript then, cos clearly you dont need it to get anywhere on most internet sites as i had previously thought. Thank you for your help, i will be ignoring it :-D


Remember that any one can see your site, not only the people you think will. There is no reason why you can't have a closed site for members and then you can do near enough what you want.


i will do near enough what i want anyway :-D

i only wrote this stuff cos writing the site was a bit dull and i wanted to make people smile, luckily this comedy reaction has made me smile for 2 days!!


The majority of people viewing this site will be Scouts/Explorers/Network, of which probably 80% will know Matt in some capacity, and 99% will have a sense of humour.

Matt-great one about the complaints form. It's nice to see someone in Scouting that is human.

yes most visitors are from our unit and i would hope that they have a sense of humour, clearly the more visits Dave racks up the lower this percentage will get. FYI there are members sections, but we have made as much as possible accessible to all - if people dont like it i dont force them to read it or come back!

To the rest of you, luke, ross & marcus, im glad that you have a sense of humour and can see where i am coming from.

Anyone else care to rip my site to pieces, for those who dont know already the address to send such mail to is [email protected] or just post it here for all to enjoy.

Matt

ps please keep going, my hits are going up now :-D

Dave
03-07-2003, 08:07 PM
Matt,
It’s not only your site I would have a pop at any site if I thought something should be said. Not only that, hopefully It will have started a discussion on what is right or wrong to put on a Scouting website. We all have our own ideas and thoughts and in the end it is down to us to make the right decision.
The Scout association has quite strict guidelines on what you are allowed to do on a Scout site, what would happen if you totally ignored them I don’t know.
It was pure fluke that I visited your site in the first place, clicked on the link on your sig. Here in Escouts I seem to remember.
As it happens I am a Scouter/Explorer Scout Leader and as the Explorers in the district know me as the “Mad Scientist” due to a wide game when we first started. They could/would confirm I'm not your "normal" leader.

Dave

Dave
03-07-2003, 08:09 PM
There is no reason why you can't have a closed site for members and then you can do near enough what you want.


I was going to stay out of this thread ;)

I think Mr Field has hit the nail on the head. Not too familiar with phorum, but certainly a members only forum might be the best way forward :)

Jon,
You can set phpBB closed to all but members and groups if you get the settings right. But you probably know that already


Dave :D

mattw
03-07-2003, 08:25 PM
well im glad that its not a personal dig at my site, but tbh am still a bit pissed off about it.

Also those scout website guidlines are a complete joke, as are most of their other documents. If i followed them we would barely be allowed to put the name of the group on the internet let alone anything of any use to anybody! (OT i know but i saw the guide whatsit on swimming the other day and its 7 pages long!! Nothing like trusting leaders with common sense then!).

I know different people will consider different things right and wrong for any website, but the thing is i know what i and the rest of our group think is acceptable and stick to that. I dont think anything on there is offensive or bad, and it is certainly not our wish to upset anyone.

Personally if i visit other scout websites when im bored (and usually its from links in threads which people leave here), it gets annoying when theres clearly a lot of stuff happening on a site, yet you have to register or be a member to view it. Thats why we dont censor 95% of our content like some groups, as then people can see what we do, what our programme is etc etc and hopefully get some ideas from it. Personally i take the view that each group should use its common sense and that forcing rules upon anything like this would be wrong, but no doubt others will disagree.

I have no plans to change any part of the site in the near future, and this will continue unless it reaches a point where we are absolutely forced into it (and it will take some forcing!).

Matt

Dave
03-07-2003, 08:42 PM
Also those scout website guidlines are a complete joke, as are most of their other documents. If i followed them we would barely be allowed to put the name of the group on the internet let alone anything of any use to anybody! (OT i know but i saw the guide whatsit on swimming the other day and its 7 pages long!! Nothing like trusting leaders with common sense then!).



Matt

The trouble is Matt we live in a world now a days where litigation is rife. There are loads of things I did years ago with Scouts that if I did them now I would be a ex Scout by now! The SA is covering it's own ar.e. If I run Explorers by POR then if anything happens by way of a accident the SA will back me all the way. If not I am leaving myself open to private litigation and having everything I have worked for taken away. (house, nice car, all now paid for! There is NO way am I going to allow that. Gone are the days when I used to take the Scouts over Hellvellyn/striding Edge in the middle of winter on a Explorer Belt Hike. I only have the M form now for Summer/Winter No Ice! (where are you going to find NO Ice in Winter 3000ft up a mountain?) There is little chance that I'll get the MTLB award because I just don't have the time to do it. So no more mountains after 2005. I couldn't agree more with you, the SA are working towards "professional leaders".

Dave

luke
03-07-2003, 11:08 PM
Step 3. To test for cross-site scripting, input the string "‹script›alert(hello')‹/script›" without the quotes in the same search or login box you used before and send this to your Web server.

OK then, thought I would give this a go 8) !

First, I think there is an eror in the script as it should read <script>alert('hello')</script>. I put this (modified version) into the search form on the front page for our website and hit the magic button.

The page displayed was our search results page, I got no "hello" box, just Sorry, no matches were found containing ‹script›alert('hello')‹/script›.

After seeing the source of the info you provided (http://www.internetweek.com/) I took a look at their site. When I got there, what did I find, a search form in the upper left of the page so hey, guess what I did!

So, can you guess what I got? yep, a nice JS box saying hello!

This being the case, does this mean that this and similar sites that have this "positive" result are up to no good?

Now, another question, with regards to...


Step 5. If Step 4 fails and the Web site does not return this information, you still might be at risk. Click the View|Source' option in your browser so you can see the actual HTML code of the Web page. Now find the ‹script› string that you sent the server. If you see the entire "‹script›alert(hello')‹/script›" text in this source code, then the Web server is vulnerable to cross-site scripting.

The search results page from our website displays ‹script›alert(hello')‹/script› on the page to inform the user that their term cannot be found, hence the string will be included in the HTML source code by default!

Again, this being the case, does it mean that our search facility (hosted by another company) is also up to no good?

One final thing before going, the Scouting guidelines for Scout websites are a little out of date and could do with a radical revamp (the same as www.scoutbase.org.uk) but one key point that is of use, and I think most sites display it (not ours yet as its one of the pages to go online) is...


The views expressed within this website are not necessarily those of the Scout Association

regards, Luke

marcus
03-07-2003, 11:30 PM
Just had a good hunt through Matts site (that counter will be going up like bus fares) and it may surprise you that to the main extent this site does not break the guidelines layed out in the factsheet (by the way, a new version was issued in May - [click here] (http://www.scoutbase.org.uk/library/hqdocs/facts/pdfs/fs295207.pdf)).

The only poinsthat I can find from the site at present are: -
- the naming of the "dick of the day".
- The absence of a disclaimer

OK the language, and one of the games may not be what I would choose to put on my group site, but I think it meets the rules in the main, and also a lot of work has been put into it.

I think that as this is supposed at the moment to be an Explorer site, the content should be judged as such.

marcus
03-07-2003, 11:39 PM
By the way he has an interesting take on the 404 error page: -


The page cannot be found
The page you are looking for (/explorers/news.php) might have been removed, had its name changed, or is either temporarily, permanently, randomly or otherwise unavailable.

--------------------------------------------------------------------------------

It is likely that you will never, ever, ever get to the page that you are looking for, as every time you try i'll annoy you with this message. However if you are quite a lonely person with sod all else to do and lots of free time, please try the following:

If you typed the page address in the Address bar, make sure that it is spelled correctly. It is most likely that you did type it correctly, and, if you hadn't, then it's possibly the first thing you checked and so wont be reading this [email protected]

Open the www.20thtorbay.co.uk home page, and then look for links to the information you want. You more than likely came from this page and followed a dead link, in which case this too is absolutely useless information that you could do without.

Goto www.microsoft.com because that site is much better.

Click the Back button to try another link. Again i'm sorry to be so annoying because obviously if you wanted to go to another page you would have clicked on another ****** link, not this crappy one which isn't only not the page you were looking for, but also happens to be no help whatsoever.

Click Search to look for information on the Internet. This is a bad idea because you already know which page you want, its just not here. Instead you've got this page and so searching the internet is unlikely to help, seeing as you already know the page you want doesn't appear to exist at the moment.

Umm, you are persistant aren't you - have you never seen an error message before? You deprived individual, don't you get the picture yet - the page you want isn't ****** here and it's not going to magically get here with you doing nout, so stop being so lazy, pick up the mouse and ****** click on something quickly before Windows® crashes you dim [email protected]!



HTTP 404 - File not found
Internet Exploder

rosschapman
04-07-2003, 11:54 AM
that factsheet i'm just scanning through is a little more helpful than the one before it. much more helpful for beginners. :rolleyes:

mattw
04-07-2003, 04:16 PM
true, i dont have a disclaimer. i used to have one but i dont appear to be able to find it anymore. There is a load of generic privacy junk though which i thought was very good of me to include - may add the disclaimer jobby somewhere where nobody will ever read it for the sake of completeness.

As for putting names on my d.ick of the day feature, only first names are shown and these new rules say not to include full names, so i think that im ok on that front.

As far as i can see the 'new' factsheet isnt wildly different from previous ones, but some of the more stupid bits have been taken out. Poss of some limited use to first timers, as some stuff is relevant if just plain common sense.

Scott
04-07-2003, 05:29 PM
I have just read the section of the new Scout Association Factsheet on Website Building and have a question. Where it has the section called Legal Requirements (saying about Privacy policies and Disclaimers Etc) is this a requirement - is my site illegal by not having it.

If so it will be a real pain because I will have to spend ages writing one!

Thanks
3rd Gosport Webmasters :)

mattw
06-07-2003, 02:49 PM
its definately not illegal to have a website without a privacy policy or a disclaimer, but the SA poss think its best to have one

tbh i wouldnt bother about it

rosschapman
20-07-2003, 11:15 AM
Finally, someone has got round to changing that repulsive yellow on the scoutbase front page. minus the venture scout section, i think they've updated the whole site finally.

just thought it was worth a mention.

marcus
20-07-2003, 11:34 AM
SiD hasn't been updated either yet, anyone else think that that front page needs a major re-design?