Vincent Gable’s Blog

September 18, 2009

Strange AOL Instant Message Filtering

Filed under: Announcement,Bug Bite,Security | , , , ,
― Vincent Gable on September 18, 2009

You can’t send a message over AIM that has a JavaScript event handler name, followed by = in it. The message seems to be blocked on the server, not in the client, as this behavior was observed in different AIM clients (iChat, Adium, and meebo.)

Examples

The following messages can’t be sent over AIM:

onclick=

onclick =

Yo dawg, I heard you liked onclick= in your JavaScript…

Interestingly, using a newline, instead of space, between the handler name and = allows the message to be sent, even though it is still valid HTML/JavaScript. For example, you can send,

onclick
=x();
/*this is fine*/

I suspect there is an interesting security story behind all of this. If you know how and why this filtering came to pass, I please leave a comment.

Thanks to Dustin Silverman for helping me investigate this. In case you were wondering how I stumbled onto this behavior — I was sending snippets of HTML from twitterglyphs.com/ over AIM.

January 19, 2009

Setting iChat Status With Automator

Filed under: Announcement,MacOSX | , ,
― Vincent Gable on January 19, 2009

Set iChat Status is an Automator action that sets your status message, and availability in iChat. Amazingly, this action did not ship with Mac OS X.

Preview.png

I wrote it, because I wanted a user-friendly way for people to control iChat in IMLocation workflows.

I Need Your Help, Tiger

This action should run on Mac OS X 10.4. But since I don’t have a second computer running Tiger, I’m not sure. If someone would let me know if this works on Tiger I would really appreciate it! It should work just fine, but you know what they say about “should”…

Download.

January 18, 2009

iChat AppleScript / Apple Event Gotcha With “set status”

Filed under: Bug Bite,MacOSX,Programming | , ,
― Vincent Gable on January 18, 2009

If you run the AppleScript:


tell application "iChat"
   set status message to "testing"
   set status to away
end tell

You might expect to have the away message “testing”. But what you get is an empty away message. That’s because set status destroys your status message. It behaves as if you had selected “Away”, “Available”, etc. as your status from iChat’s status menu.

If you want to set a custom away message, call set status first, so it won’t over-write your message.


tell application "iChat"
   set status to away
   set status message to "testing"
end tell

Filled as radar://6505882, but Apple considers it expected behavior.

Powered by WordPress