The FXScript Reference site is 100% scratchbuilt. I created it partly to teach myself more practical PHP and MySQL skills and shunned any existing code snippets or libraries. Yet the site and my home-built commenting system is getting pounded with spam.

How is this happening? It’s the usual crap; laser this, cheap pills that, a bunch of links that were scuttled by my post-cleaning routines, fake comments with links to casinos and porn. The spam is coming from different IP addresses each time, usually from India, Russia or Columbia. All spam comments were posted using Firefox.

The k30fps entry has been taking the brunt of the spam (72,000+ hits vs a normal average of 2500-3000 hits for other items?).

I set up a quick log to collect all $_SERVER and $_POST data for any comments posted, to see what was happening. I was hoping something would stick out like curl or some unknown referrer page. No such luck, everything looked normal, the most troubling thing was the user agent:
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10

I suspect there is a hacked Greasemonkey script out there which exploits HTML form auto-entry to insert spam comments. There’s not much I can do about blocking that.

Traffic has been low recently, except for the spammers, so I’ve unfortunately decided to turn off comments for the time being. Maybe the lack of exploitable forms will get me off the spam list. When I have more time I will try to hook into Akismet. Since turning that on for my WordPress site I have not had to manually delete a single spam comment.

If anyone has something they’d like to contribute, send me an email and I’ll either post it for you or open the site a window for posting.

**Update** Comments are on again.

update 2: These workarounds also work with Safari 2.0 in Mac OS X v10.4 .
update: There’s a simpler fix, jump to the bottom.

Yesterday morning I noticed a change to the JavaScript/DOM getSelection() behavior in the new Safari 1.3 (in 10.3.9) and the most recent version of Firefox 1.0.3.

I’ve been using this method for years to pull selected text from web pages for several of my bookmarklets. The one I use most frequently generates a link from whatever text is selected. If nothing is selected, it grabs the document’s title. The change in getSelection() broke that bookmarklet, no selected text was recognized.

After a bit of research, I found Mozilla’s Safely accessing content DOM from chrome page which describes the security fixes behind the modification and detailing other problems the changes had caused. Based on Mozilla bug 290777 and this post by Buzz Anderson, both browsers seem to have problems with the change. Despite those bugs, I managed to find the simple workaround as described below.

What Safari and Firefox now seem to be doing is creating a DOM selection object from getSelection() instead of treating it as a simple string. The result is that getSelection() appear to be a string, but few of the string manipulation functions work without additional considerations.

The following examples are all intended to be tested as bookmarklets, drag them to your bookmarks bar for testing:

• getSelection() test 1
  javascript:d=window.getSelection();
alert(d);

  Works as expected in Safari 1.2.4, Safari 1.3 and Firefox 1.03, popping an alert containing the selected text. Trying to measure that returned string fails in Safari 1.3 and Firefox 1.0.3 but works in Safari 1.2.4:

• getSelection() test 2
  javascript:d=window.getSelection();alert(d.length);

  The older version of Safari returns a character count for the string of selected text. Firefox and Safari 1.3 return “undefined”. There are quite a few other problems:

• getSelection() test 3
  javascript:d=window.getSelection();
alert(d.toString());

  Works in Firefox and Safari 1.2.4 but not in Safari 1.3.

• getSelection() test 4
  javascript:d=window.getSelection();
alert(d.toString().length);

  Getting the length after toString works in Safari 1.2.4 and Firefox.

Further inconsistencies between Safari 1.3 and Firefox 1.0.3:

• getSelection() test 5
  javascript:d=window.getSelection();alert(d.type);

  Returns “Range” in Safari with a selection, returns “Caret” or “None” with nothing selected. Fails with “undefined” in Firefox. (I think the Firefox 1.0.3 DHTML regression bug might be preventing it from working in Firefox but I didn’t try any of the recent nightly builds.)

• getSelection() test 6
  javascript:d=window.getSelection();
alert(d.getRangeAt(0));

  Fails silently in Safari, returns selected text in Firefox. Safari dumps this into the Console log:
  [5956] :TypeError - Value undefined (result of expression d.getRangeAt) is not object.

• getSelection() test 7
  javascript:d=window.getSelection();
alert(d.typeDetail);

  Fails with “undefined” in both.

There is some good news:

• getSelection() test 8
  javascript:d=window.getSelection();
alert(d.isCollapsed);

  Works in both Firefox and Safari 1.3; fails in Safari 1.2.4 as “undefined”. This means (finally!) there is a workaround for my problem.

I was using the length property to determine whether a selection was empty or not, then fetching the title of the window if that value was 0. Knowing that length no longer works in Firefox and Safari, isCollapsed can be used as a conditional switch.

• getSelection() Workaround
  javascript:d=window.getSelection();
d=(d.isCollapsed||d.length==0)?document.title:d;
alert(d);

  That will return any selected text or the document title if there is no selection. Tested successfully in Safari 1.2.4, Safari 1.3, Firefox 1.0.3 and presumably Safari 2.0 as well.

Line breaks were added to visible code examples because my style-sheet choked on long lines and I can’t redo the CSS right now…

Update: After working through all of the above, I realized there is a far simpler solution: +''. The Safari problem seems to be that string methods do not work on the returned object from getSelection(). Forcing the result into a string by concatenating with an empty string fixes all of my bookmarklets. Concat() fails because it’s a method of string, use the "+" joining operator and an empty string '' instead.

• getSelection() Faster Fix
  javascript:d=window.getSelection()+'';
d=(d.length==0)?document.title:d;
alert(d);