Newer versions are available. Find out more.
Yesterday, a security vulnerability was found in sIFR 2 and 3. Malicious websites can trick visitors into running JavaScript code on domains hosting sIFR movies. No exploits are known. If you are using sIFR 3, you are advised to update to revision 278 (or any later revision).
You’ll need to update the sifr.js file and re-export the sIFR movies.
Detailed description
sIFR passes the text it has to render to the Flash movie using Flash variables. Normally these variables are specified using a flashvars parameter, however they can also be passed using the query string. Malicious websites can craft an iframe which points to a sIFR movie on the target domain. An HTML link to some JavaScript code can be passed to the movie through the query string. When a visitor of the malicious website clicks on the link, the code is run on the domain the movie resides. Vulnerable browsers are Firefox, Safari, Opera and Netscape. This specific attack does not work in Internet Explorer. An alternative attack is to load the movie directly or in a popup window, this does work in Internet Explorer.
Revision 278 prevents this attack by not rendering any content that is passed through the query string. Credit goes to Arseny Vesnin for finding the vulnerability.
Other changes
Here are the changes since revision 229:
- Improvements to the Callback API.
- Improved ratio calculation and handling.
- No longer replacing elements that have
display: noneset. - Added a
transparencyandopaquenessoption. - Increased frame-rate of sIFR movies.
- Elements with the
.sIFR-ignoreclass will now be visible. - Changed semantics of
sIFR.prefetch(). When invoked aftersIFR.activate()it’ll pre-fetch the given Flash movies in all browsers. - Fix for the sticky hover problem.
- Fixed problem in Internet Explorer when used in combination with (for instance) SWFObject.
- Anti-aliasing can be specified in JavaScript.
- Text-wrapping can now be prevented by setting the
preventWrapproperty forsIFR.replace(). - sIFR will no longer activate when loaded directly from the filesystem. Load it through a webserver instead.
- Debug mode is automatically enabled if the
sifr-debug.jsfile is loaded (beforesifr.js).
As this release has been rushed due to the security issue, I have not been able to update the documentation.
I’ve been trying to remove the padding around the text using sIFR 3 but I can’t seem to get it done. Why doesn’t the height of the sIFR flash correspond to the actual height of the text within?
sIFR uses the height as reported by Flash. Unfortunately it’s not the exact size. You can use a negative value for
tuneHeightto decrease the height, and you can useoffsetTopto better position the text.The security update is, of course, necessary, but the elimination of being able to activate from the file system makes it nearly impossible for me to test in real time. I don’t have a web server at home and I’m disinclined to set up IIS on my home pc. That leaves constantly re-uploading to my ISP to even see if it’s working
.
Even testing it at work where I have easy access to web servers (not allowed on my pc unfortunately) I can’t test in real time as I don’t develop ON the web servers.
One example where the rotten hackers and criminals in this world have to make things more difficult for the rest of us.
Diane, the requirement to load sIFR from a webserver is unrelated to the security update. It’s just that (due to Flash security restrictions, so okay) it doesn’t really work very well from the filesystem. However, if you set
sIFR.fromLocal = true;before activating it should work just fine.Thanks for the clue Mark, that makes things easier
Hey!
Ive changed to the new 278 release (from 231) – and now sifr cant show special caracters like the ä ü ö in german charset … could You plz so kind and explain a possibility how to fix this? thanks a lot – fRanKy
Are you sure you re-embedded those characters?
The same problem as fRanKon. Re-embedding (Uppercase [A..Z] — Punctuation, Latin I, Latin Extended A) gives nothing – UTF codes’ numbers are displayed instead polish diacritics.
Could you post a few examples of those Polish charachters?
Same problem here with special characters, åäö etc are not displayed, actually the whole word after such a character gets chopped off… Weird.
Also, the sticky hover thing is still there, from what I can tell… tried both rev 257, 274 and 280, can’t get rid of it I’m afraid…
Hallo Mark … i use siFR since april – and yes i’m sure 231 works fine … i embeded those characters – everything is fine – but the new 278 breaks down at special chars and nothing is displayed. so for now i switched back to 231 and wait
– thank u very much … its a great tool btw 
Okay, I’ll look into the special character thing. Emil, what browser(s) are we talking here? Could you post an example with r280?
Hello Mark,
there is screenshot displaying the problem we are talking about: http://cromedia.pl/r278.png
Text in first line is: “zażółć gęślą jaźń” (typical polish oneliner including all diacritics)
The second sIFR line is glyph test: “aąbcćdeęfghijklłeęmnńoópqrsśtuvwxyzźżAĄBCĄDEĘFGHIJKLŁMNŃOÓPQRSŚTUVWXYZŹŻ !@#$%^*()-=+_;:,.?/\~`1234567890”
As you can see – all characters but the [a-z][A-Z][0-9] and interpunction signs are displayed as UTF code numbers (guess, I did not check it).
PS. I use FF 2.0.0.5, IE 6.0.2900.2180 and Safari 3.0.2 (everything on WinXP Pro SP2) – the result is identical, so it’s pretty obvious that it’s sIFR bug.
And two more screenshots:
http://cromedia.pl/r278_win1250.png The same document with Win-1250 enconding…
http://cromedia.pl/r278iso8859_2.png …and in ISO-8859-2. Just the same as UTF-8.
i’ve just done some tests using special characters (Latin 1 character set) and i noticed that both sites display the characters fine in sIFR when they’re encoded as an entity (using ampersand semicolon). however, if i put the character straight into the html without encoding, only the pages using UTF-8 encoding will display them at all.
so, if i use content=”application/xhtml+xml; charset=ISO-8859-1” in my http-equiv=”content-type” metatag, only html entities display correctly (if they’ve been embedded in the flash file, of course).
however, if i use content=”text/html;charset=UTF-8”, both html entities and un-encoded characters that have been embedded in the flash file will display.
sticky hover problem seems to be fixed, too. thank you so much!
Mark, I just downloaded rev278, unzipped it and popped /demo/index.html into the latest versions of Firefox and Safari, both OSX. The headlines appear to be plain, no sIFR present. I must be stupid — what am I missing?
Nevermind, I’m not stupid — just retarded. I’ll read the documentation first next time
taghag, saving a file as UTF-8 and then displaying it as ISO-8859-1 can’t work, because the text is incorrectly parsed by the browser. Try disabling sIFR and you’ll see that the text is wrong.
KPK can you post a real life example of your sIFR install? I tried displaying the characters in the latest version and they didn’t show (as they were not embedded) but neither did the other stuff. Same for Emil, not getting anything out of the ordinary.
I’ve tested embedding Nordic letters (æøå) and it works just fine. Get the encoding right first, people! However, Mark, I seem to have a bug when using sIFR in Safari. It seems as though the parse selector breaks down in some instances. It seems like if it doesn’t find the first element in the selector statement, it gives up.
E.g. I have the following setup:
sIFR.replace(head1, { selector: ‘h1’ ,css: [ ‘.sIFR-root { text-align: left; font-weight: normal; color: #00a6eb }’ ], wmode: ‘transparent’ });
sIFR.replace(head2, { selector: ‘h2, ul.linkmenu li.title’ ,css: [ ‘.sIFR-root { text-align: left; font-weight: normal; color: #00a6eb}’ ], wmode: ‘transparent’});
sIFR.replace(head2, { selector: ‘.upperleftbox li.title h3’ ,css: [ ‘.sIFR-root { text-align: left; font-weight: normal; color: #ffffff }’ ], wmode: ‘transparent’, tuneHeight:’-5’ });
If it doesn’t find h2 in the 2nd replace statement, ul.linkmenu li.title doesn’t get replaced either. Again, this only happens on Safari. For now I’ve rewritten it so that ul.linkmenu li.title comes first because it is always on the page, thus everything gets rendered with sIFR as it should… Just thought I’d let you know about the Safari bug
Hi George, that seems weird. Could you post a link to the page where this occurs? Which Safari version are we talking about?
Hi again Mark,
Haven’t had time to test again, left for a weeks vacation, but I’ll check encodings, re-export etc. again when I get back.
@George: Yeah, I know, It’s easy to mix up stuff, and I cant say for sure that I didn’t miss something since I don’t have the code in front of me right now, but the weird thing is that everything was hunky dory with the current encoding with 257 (not sure about 274, only tested it briefly for the hover thingy, but don’t remember noticing anything out of the ordinary), and after updating to 280, stuff was weird – and the underlying html hadn’t changed a bit.
I might have screwed up while exporting somehow though, so I’ll try again when I get back home and report back, in a few days.
Mark: so here’s the test site online: http://cromedia.pl/sifr/
KPK, it looks like you didn’t re-export the Flash movie for the newer nightlies. So for everyone who is having problems with encoding, you must re-export the Flash movie when upgrading to a newer sIFR version.
Hmm, looks like my export script is having difficulties. You might still be using the latest version but it’s a bit hard to tell right now.
Okay could you update the site r297? It’ll actually work properly this time, and we’ll be able to debug this.
Hey again. Unfortunately the site I’m using this on is in a test environment at the moment. Tested with the latest stable version of Safari (2.0.4). Unfortunately I don’t have any other sites with the problem active at the moment either, since I have ordered the replace statements in a way so that it doesn’t happen…
But basically it’s a problem of deserting a replace statement as soon as one of the selectors in it are not found.
Well if you could isolate the issue and send it to me that’d be great. Can’t do much without being able to reproduce the issue.
I found some strange requests in my apache log:
/sifr3/js/+_113;this.html=this.html.replace(
Lucky, I already have 278 and it gave a error404.
@ mark “taghag, saving a file as UTF-8 and then displaying it as ISO-8859-1 can’t work, because the text is incorrectly parsed by the browser.”
just to be clear, i’m saving the file as utf-8 (no BOM) and i have utf-8 in my content-type meta-tag as well. i don’t specify ISO-8859-1 anywhere. special characters display with or without javascript.
Prale, I don’t see how that would end up in your Apache logs, it’s a snippet of the sIFR source code, and definitely not an attack vector.
taghag, I’m referring to this:
Which, of course, is sending out a UTF-8 document as ISO-8859-1.
When I use text field with sifr on Firefox on Mac, I can’t type any shift + characters, such as @, #, % and so on. In addition, I can’t copy the url from address bar, either.
Sorry, I used wrong file….
Sorry to be such a noob, but please could you tell me where we should set the sIFR.fromLocal = true; as mentioned in comment 4? I tried adding it in as the last line of the actionscript in the .fla file before exporting the movie. However, when I tested it on my machine before uploading, the fonts weren’t replaced, so I think I’ve done something wrong. Many thanks for your help.
It has to go in the JavaScript config file, before “sIFR.activate()”.
Ah! Thank you – now it works.
Hi Mark,
First, thanks for sIFR 3. It’s really great. However, it has some really strange behaviour when trying to style links — in particular, trying to style child elements of links does not work correctly at all. Styling link children doesn’t really work, and trying to style the children in the hover state absolutely breaks sIFR. I also couldn’t seem to get
spans to be styled, even when not inside a link, unless they were given a class and addressed using only the class (eg.'span' : { 'color' : '#ffffff' }and'span.class' : { 'color' : '#ffffff' }did not work).Are you aware of these issues/able to confirm/plan to fix for the final release?
Sorry if this message is incoherent, I’ve been awake way too long tonight
Cheers,
I’m afraid these are issues with Flash itself. Perhaps you could add this to the wiki? Styling would be a good page I think.
I’m wondering if it is possible to apply more than one filter. DropShadow works fine but I would also like to add a bevel to the font. Not sure if I’m doing something wrong but it will not allow two filters to be applied. Code sample would be nice if it is possible.
You should be able to specify multiple filters. Does the Bevel filter work without DropShadow?
I don’t understand enough about Flash’ filters to figure out a code sample I’m afraid. Let me know what you find!
Do you have any plans to upgrade the flash output to be increased to flash player 8 (instead of the current version 6)? That would allow better anti-aliasing of the typeface.
sIFR 3 is Flash 8 and above.
To the authors of siFR 3, i’ve greatly enjoyed using siFR 2, and now the greatly improved siFR3 – i was wondering if there’s any documentation somewhere pertaining to the different settings for css and flash.
Haven’t not touched flash in a while, there’s a number I don’t remember, particularly the syntax used in siFR (i.e. wmode: transparent, tuneHeight: foo), i think a kind of quick list would be very useful!
Naturally, point me to such documentation if it exists, i’m sure i might have overlooked it!
There’s a bunch of info on the wiki but I haven’t had the time yet to write proper documentation.
[quote] /sifr3/js/+_113;this.html=this.html.replace(
Prale, it’s a snippet of the sIFR source code, and definitely not an attack vector. [/quote]
It was requested from a strange extern ipadress so they at least “tryed” to inject something. Thanxs for your support now I know they can’t attack anything with it. Keep up the good work! Were would my site be without sIFR?
Was wondering if anyone can do text justify with this release ? I was able to do it with version 2 release 260 but never could make it work for versions upwards
please let me know if this is still possible in ver. 3
thanks
John, could you provide an example with both r260 and r304? Probably best to run it through the forum. Thanks!
Hi Mark, congratulations SIFR is just amazing. I just have one doubt, is there any way to replace one tag using the same replace instruction with deferent’s colors like in the demo using but I want to use a class. Eg. sIFR.replace(bigblokebb, { selector:’h2’ , css: { ‘.sIFR-root’:{‘font-size’:’23px’} ,’.green’: {‘color’: ‘#427A36’}} , fitExactly:true , wmode:’transparent’ }); and just add .blue, .yellow and on. Thanks.
If you want to have one replacement call you’ll have to put the text inside the
h2in aspanwith the appropriate class name. You could also write different replacement calls forh2.green,h2.blueetc. If you add the common properties likefitExactlyandwmodeto thebigblokebbobject you won’t have to repeat them in the replacement call, they’ll be used every time you passbigblokebbto the replacement call.Hi Mark, Thanks, that really helps me, I let you know when I finish the Website, maybe you can add it to the examples section.
Thanks again.
Mark,
I haven’t looked at 3 yea but I did an implementation of iSRF using Drupal and a nifty module that does all the code for you…
I ran into a fairly serious issue in that when menus dropped they sat under the replaced text. Has this been addressed and does anyone out there know if i can just swap the V3 code with the V2 code used in the Drupal module?
Yani
That’s a known browser issue. Setting wmode to ‘opaque’ should resolve it. The Drupal module is not compatible with sIFR 3.
Have any of you guys gotten a version sIFR 3r278 or later working with 64 bit OS’s? I have win XP 64-bit and every version after sifr3-r260 does not work. It simply does not replace the selectors with flash movies, it leaves the plain text.
Hi Nick, sounds as if the Flash detection broke down. Do other Flash sites work for you? What about this demo?
Hello. I use sifr since a few versions back. It was working fine until I checked my website yesterday with Firefox. The font size is very small, so small that you can’t even read it. In IE everything is normal. (53pt) What can be wrong?
http://www.4elementz.com/profiles/delft015
I hope someone can help me. Antwoord in het Nederlands is mogelijk.
You haven’t specified the
line-height: 1emfor the text you wish to replace.Thanx, that was the problem! I remember now I deleted the line some weeks ago because I didn’t noticed a difference in IE. Thanx for the support!
Hi. I’ve just implemented sIFR3 after using sIFR2 for a while. A great improvement all round and looks incredible on the page. I’ve started to get an issue with Firefox. Sometimes, when the page loads, any links using sIFR are disabled, until I click them (sometimes twice). The hover doesn’t work in these instances too. Any idea why?
Hi Sam. Sounds as if the sIFR movies have
wmodespecified and are contained in a floated element. Firefox doesn’t handle Flash movies very well in this scenario.They did have wmode and were floated. I have solid backgrounds on those elements now and the links seem to working fine. Thanks for your help.
Hi there,
Great little add on to a site this sifr! Thanks for taking the time to create it Mark.
I have a slight problem though:
In IE6 the height of the Flash movie is different to IE7 and FF. Its just that im adding a border to the bottom and there is a different in alignment.
Is there anyway to fix this?
Thanks.
Sounds like an IE CSS issue, so that’s where the solution should be. Don’t know what else to do.
Could you run follow up questions through the forum?
Hi Mark,
I’m getting a “Rendered with sIFR 3,” message instead of the header text I’m trying to replace. Do you know what I’m doing wrong?
Thanks,
Amit
p.s. first time user
Are you sure the code for the Flash movie and the JavaScript code are of the same version? Download the latest nightly and re-export the Flash movie. These nightlies check if the versions match.
Oh, I figured it out. I forgot to upload the sIFR-config.js file. Doh!
I am trying to use the latest version of sIFR 3 Revision 278 to style links. Does anyone have a working example of this so that I can view a clean example of how to set the sifr-config.js, css-screen.css, css-print.css. Is there anything that needs to change in the .fla or .as files as well? I am a beginner users for sIFR and I am struggling to find a useful working example of how to style links for a simple css navigation that will work in Firefox, IE, Netscape, and Safari browers, as well as allow for wmode:transparent, so that I do not have to have the links over a solid background color.
The one thing to look out for is that you can’t replace the link itself, but you must replace a parent element. The top text in the demo is a link, so that’d be a good example.
The Louder Than Ten site in your list of examples was the best example I could find of creating links with sIFR, using the most recent release as well, and it worked for me! Next question, is it possible to have a hover background image as opposed to a background color? Thanks again!
No that doesn’t work I’m afraid.
Is there any way to show sifr using this framwwork on IE 5.5
Nope, sIFR 3 is IE6 and up.
Was using sIFR 2 with a (PS) OpenType font. The same swf file doesn’t seem to work with sIFR 3. (although your sample font is working) A new exported swf didn’t work, is there anything I can do, or is this a bug?
Editor’s note: This question was later asked on the forum, and answered there.
Bit of a cry for help really – I’ve run into the problem that the anti-aliasing is too heavy over one colour and too light over another colour – makes for it looking pretty shoddy and inconsistent.
I realise there are ways of controlling anti aliasing which are described briefly here http://wiki.novemberborn.net/sifr3/Flash+Configuration
I think this fellow seems to be the most important feature – preserveAntiAlias (Boolean) which should allow me to refine the anti-aliasing in Flash and a bit of trial and error will solve my problem.
but when exporting my flash file it’s saying “There is no method with the name preserveAntiAlias”
I’m almost certain this is simply because my AS knowledge is near non-existent, is there a more thorough example or walkthrough of it’s implementation somewhere?
I’m probably missing something tiny and incredibly painfully obvious but any help would be much appreciated.
Hi Maerk, in
Options.asspecifysIFR.preserveAntiAlias = true;in the same place as thesIFR.domainsdeclaration.Hi,
I need to display my header in two colours, but cannot seem to get this to work. I have tried the following (as well as other attempts):
sIFR.replace(rockwell, { selector: ‘h1’ ,css: [ ‘.sIFR-root { color:#0000ff; }’ ] }); sIFR.replace(rockwell, { selector: ‘h1 span’ ,css: [ ‘.sIFR-root { color:#ff0000; }’ ] });
blue red
.. But nothing seems to work?… any help appriciated.
Thanks.
just worked it out…
sIFR.replace(rockwell, { selector: ‘h1’ ,css: [ ‘.sIFR-root { color:#0000ff; }’, ‘.red { color:#ff0000; }’ ] });
blue red
… always happens, ask the question and then figure it out..
Huge thanks, thought it would be something painfully simple (if I knew AS at all I’m sure – or an ounce of common sense on my part)
I am new to sIFR and are trying to replace link in menu. Ok it works, I nice font for the menu and verry happy
But what if people do not have flash plugin in there browser ? What if adblock user block the menu links ? I would like to have the orginal link (the one that is replaced) to be vissible if this 2 senario happends. So is this possible ??? If so can some one give me hint or point out example page.
In the first case (no Flash) sIFR never replaces anything. In the second case, well, there’s nothing to be done about it.
Hi,
Having a problem rendering < > characters with sIFR – I’ve spent a good hour looking for a solution or similar problem and I’m amazed to say I haven’t found anything!
I’ve embedded the characters in the flash file and I’m browsing with ie7.
Other simlar characters appear fine when encoded in that way (& etc) and I’ve also tried the ascii code variation (&60#;) but that too fails where other characters work fine (&42#; renders a ‘*’ fine, for ex).
I’m sure that there’s a simple explanation but any help welcome!
Thanks & thanks for your work on sIFR – a great tool.
Ben
Ben, just to be sure, did you embed them using the embed dialog, or did you type them? You have to use the former method, the latter won’t work.
Hi Mark,
Thanks for your reply – I embedded them using the embed dialogue and then added them manually using the additional symbols field, along with the existing &,.”” etc. My only other option was to embed another language group.
Just curious – is this a problem that you’ve been able to replicate or is it something I’ve done wrong at this end? I’d be very surprised if this problem hasn’t come up before!
Thanks, Ben
This is a problem that crops up every couple of months, but I can never reproduce it. Don’t really have the time to export a movie right now, but could you retry with the latest nightly build? Also, could you verify that the characters are correct when you view the page without sIFR enabled?
Let’s discuss this through the forum.
I’m using sifr 3 r 278 and it works great in Firefox while it seems it doesn’t work in Safari!!! With Firefox 2.0.0.6 everything is perfect. Whilte in Safari 2.0.4 I see the plain text, I mean, nothing is replaced!!!! Can you help me??? THANKS!!!! Davide
GULP! Now it’s working! I really don’t know why…But it’s working….I’ve done nothing…I’ve just refreshed my website folder in Eclipse…and now it works with Safari also…Anyway…I’m HAPPY! Ok…SORRY for my previous comment! Well…SIFR3 rules! Thanks! Davide
Hi,
Awsome little tool. I started using the 2.0 release and it’s pretty great except for alizsing. I am trying to match am image that had strong anti-aliasing before.
And now that I got the 3 beta, I am getting errors when exporting
Error C:\www\Projects\sifr3\sifr3-r278\flash\sIFR.as: Line 74: There is no property with the name ‘flash’. public static var filterMap:Object = {
Total ActionScript Errors: 1 Reported Errors: 1
You need to use Flash 8 or CS3 to create the Flash movie, it looks like you’re not using those versions?
Just moved to using version 3 and nothing seems to work for me. Things worked fine with version 2, but now not even the demo that came with version 3 works. What am I missing if the provided demo doesn’t work?
You mean this demo? Are you sure you have Flash 8 or 9 installed? sIFR only works if you view it through a web server, not directly from the file system.