'how to avoid w3c markup validation to use server redirection via url checking
I found the w3c validator very useful for me for testing the final markup of a current page. I have a link for each of my page, like this:
https://validator.w3.org/nu/?showsource=yes&doc=https%3A%2F%2Fexample.com%2Findex.php
it works, but the problem is, if I have something like this:
<?php
if(!isset($_SESSION['admin'])){header('location: login.php');}
?>
and the final markup for testing is in fact the markup of login.php
and not index.php
- regardless the session is set - or not
is there a way to avoid this redirection?
seems there is a POST
option instead of GET
and I hope it works without redirection but I can't understand how to implement it
Solution 1:[1]
The session will never be set because the Validator is not going to have logged into your site.
The simple and safe way to validate your HTML would be to:
- View > Source
- Copy/Paste (possibly via a text editor to remove any private data) into the Validator
The more complex way would be to write a means to bypass the session checking logic and always return the admin page. (E.g. a query string combined with a server-side configuration check). Then give a URL that triggers that bypass logic to the Validator. And to only ever turn that code on (via said configuration check) on a staging server that doesn’t have production data on it (otherwise you’ve introduced a big security hole).
Another, similar, approach would be to make the bypass based on the IP address the request comes from and then allow access to the Validator’s IP address. Since you don’t want attackers to be able to read your admin pages by submitting their URLs to the validator you should only do this for the IP address of an instance of the validator installed on your LAN (and restricted so non-admins who have access to your LAN can’t use it).
Solution 2:[2]
If you have a Location:
header, with the appropriate redirect status code, ideally you won't send any HTML at all. It won't be seen and is a waste of bandwidth. In fact, you'll find that the browser will follow the redirect before bothering to try rendering the HTML.
Therefore, there should be nothing to validate!
Also note that your browser's developer tools can do HTML validation warnings for you. So, if you need to do testing of logged-in pages, you can check right in your browser without going out to the W3C validator.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Quentin |
Solution 2 | Brad |