Penny Arcade - "Hidden Mechanics"

Apr. 9th, 2026 03:52 am[personal profile] kane_magus
kane_magus: (Default)

Link to comic.
Link to blog.

This is another one of those "the associated blog is actually of more interest to me than the comic" comic posts.

(EDIT) Yet another post to fall victim to that bizarrely still existent "can't have 'Hidden ' in the subject line" bug. (/EDIT)
  • Current Mood: perpetual Weltschmerz
  • Current Location: Stokesdale, NC
Tags:
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2026-04-09 10:23 am (UTC)From: [personal profile] andrewducker
andrewducker: (Default)

What a weird bug. Have you reported it?

Date: 2026-04-09 04:33 pm (UTC)From: [personal profile] kane_magus
kane_magus: (Default)
I reported it in 2021, when I first encountered it.

Date: 2026-04-09 04:45 pm (UTC)From: [personal profile] andrewducker
andrewducker: (Default)

Wow. That's an impressive amount of time for it to live on the back burner. I wonder what crucial piece of functionality is entirely reliant on it.

Date: 2026-04-09 05:05 pm (UTC)From: [personal profile] kane_magus
kane_magus: (Default)
As far as I understand it, it's some issue with HTML or CSS themselves, or some combination of the two playing badly together.

It's easy enough to work around. You can just replace the quotations marks in a subject line with " and they still show up as quotation marks, without causing the issue. It's just that I tend to forget about it being a thing that happens until after I've already posted something (e.g. the above post) and the subject line just doesn't show up at all until I change it.

Date: 2026-04-10 10:32 am (UTC)From: [personal profile] goldpseudo
goldpseudo: (Default)

I'm not an HTML expert, but looks like they're failing to escape quotation marks. So, like, the link is getting encoded like this:

<a title="Penny Arcade - "Hidden Mechanics"" href="https://kane-magus.dreamwidth.org/1773235.html">

Which basically means the first quotation mark closes the title= attribute and it reads the rest of the "quote" as new attributes. And in this case, hidden means, well, hide it.

Also, this means that it's actually affecting every single title that has a quotation mark in it; the title= attribute is what should be showing up in the mouseover text for the link itself. It's only obvious with hidden because hidden is also an attribute that has a visible effect, but most of your quoted titles are just random words that mean nothing in an HTML sense (e.g. this post shows the proper title on mouseover, but this one does not. But since invisible, baby and meters aren't keywords in HTML, it just… ignores them.)

Also, whole thing would probably break if you ever had a title with only one quotation mark in it.

This also feels super-vulnerable to injection attacks. I bet you could do some serious damage with something along the lines of setting your title to This is a safe link" href="http://notavirus.totallylegitsite.xyz". Y'know, if you're into that sorta thing.

Edited Date: 2026-04-10 10:33 am (UTC)

Date: 2026-04-10 08:08 pm (UTC)From: [personal profile] kane_magus
kane_magus: (Default)
There are cases (e.g. most recently here) where there have been only one quotation mark in the subject line before (as a result of the whole thing not fitting in Dreamwidth's too short subject field). They show up as errors in the page source, same as any other page with a subject that contains quotation marks, but they still display normally on the page itself, at least on my end, even with just the one quotation mark.


And you're totally right about the potential injection attack. I just made a private post (which I will make public right after I post this comment) with subject

This subject line links to Google's homepage and not to this post" href="https://www.google.com"

and the hypertext link for this post on my main page absolutely does go to Google's homepage, rather than to the post itself. That said, at least on my end, the subject line still shows up on the post as

This subject line links to Google's homepage and not to this post" href="https://www.google.com"

rather than the just

This subject line links to Google's homepage and not to this post

as one might have expected, and this is the case on the post itself and from my main page. (No clue what it might look like on the "/read" page of anyone else.) It's still super bad that it goes to whatever url is in the subject line rather than to the post, of course, but at least it (hopefully) would be fairly obvious if someone tried to use this to redirect others to a bad link.

That said, for what it's worth, hovering over the

This subject line links to Google's homepage and not to this post" href="https://www.google.com"

link does indeed only show the

This subject line links to Google's homepage and not to this post

bit and not the rest of it. I'd guess that someone of a more nefarious nature could possibly find a way to hide the rest of it in the actual link itself, too.

In any case, I'll be reporting this new, more potentially sinister issue as soon as I'm done with this comment and making the example post public.

(EDIT - twice to fix errors)

And it all shows up in page source as

<a title="This subject line links to Google's homepage and not to this post" href="https://www.google.com"" href="https://kane-magus.dreamwidth.org/1774353.html">

which is clearly FUBAR.

(/EDIT)
Edited Date: 2026-04-10 08:21 pm (UTC)

Date: 2026-04-10 08:27 pm (UTC)From: [personal profile] kane_magus
kane_magus: (Default)
Here is the original bug report, for what it's worth.

And here is the new bug report I just submitted. (EDIT Typos and all. Ugh. /EDIT)
Edited Date: 2026-04-10 08:35 pm (UTC)
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

kane_magus: (Default)
kane_magus

Links

April 2026

S M T W T F S
    1 2 3 4
5 6 7 8 9 10 11
12 131415 16 17 18
192021 22232425
2627282930  

Most Popular Tags

Page Summary

Active Entries

Style Credit

Page generated Apr. 23rd, 2026 02:18 pm
Powered by Dreamwidth Studios