Jump to main navigation, main content

Archived entry | Matt Wilcox .net

Anti-Virus, the validation killer

A Validation Problem

Validating your document is a good idea. If your document validates, your code is correct, which means it’s likely to be well structured, and it will definitely work on any browser which supports the doctype you’re using (you are specifying a doctype, right?)
Earier today I was working on mattwilcox.net when I decided to check that the dev blog validated correctly. It didn’t validate, which wasn’t too surprising as I’d not even finished the PHP code yet. I went through my script and tidied up the bits that were broken and re-submitted the page for validation (I use the W3C Validation Tool, which is great). My page still didn’t validate, and upon closer inspection of the offending code I hit a puzzle. The bit that was breaking the validation was an old-style HTML <script language="javascript"> tag. I checked my local document again and realised that the code producing the error wasn’t actually in the document I was working on. Thinking I must be trying to validate an old script, I re-uploaded the current one and re-validated. I got the same error notice: mysterious javascript was appearing from nowhere, right above my valid javascript tag.

The Cause

What could be causing foreign code to appear inside a HTML page? I feared I might have a virus and promptly did a system sweep with Norton and AdAware. Apart from a few tracking cookies nothing was picked up. OK, so my problem was not a virus. Next possibility on my list was the server was fiddling with my pages. I checked it out on my other PC and again the modified code appeared. Maybe it was something on the server?
I set google on the trail to see if anyone else had reported a similar problem, and it turned out they had. The cause of this invalid script appearing in my page was in fact Norton Antivirus itself, which scans any page you view to try and sniff out potentially harmful javascript. If it finds any Javascript tags the program inserts it’s own bit of code into the page. Code which is formatted with the old HTML 4 <script> tag, which was what the Validator was picking up as invalid code.
Exactly what the javascript Norton inserts is supposed to do i don’t know, but it is definitely irritating. In my case the javascript triggering Norton into action did nothing but link to an external .js file, which contained nothing I would label suspicious.

I thought about this for a while and suddenly wondered how often Norton’s little trick was killing pages I view. I visited the LAW forums where I was greeted with the usual PHP errors, as seen below: screenshot of errors I then disabled Norton and refreshed the page: to find that all the errors disappeared. I have no idea how Norton is managing to generate PHP errors, but the effect was 100% reproducible.

A Solution?

Norton was being overly protective, and in doing so it was degrading my Internet experience and causing validation errors. While I can understand why such a virus safeguard technique might be useful, the implementation is rather too aggressive: I wanted to turn Norton’s method of javascript protection off. It appeared that the Auto Protect function of the Anti Virus suite was the culprit.

Protects your computer from viruses transmitted through the Internet, checking all files you download from the Internet, including Java Applets and ActiveX controls.

Norton Help File

Unfortunately the only ways I have found to turn the feature off are to either make html/htm/php/asp pages an exception to the filter; which leaves you open for real virus attacks, or to disable the whole thing while you’re surfing; which is even worse.
I still haven’t found an acceptable solution, if you find one, please let me know!

Comments

skip to comment form
  1. Matt Wilcox posted 1 years, 25 days, 22hrs after the entry and said:

    I found a solution. Stop using Norton, start using AVG Anti Virus. smiley icon: smile

From the archives

Other enteries filed under:

Web Development

Site information

Built with valid XHTML and CSS, designed with web standards and accessibility in mind. Best viewed in a modern browser [Firefox, Safari, Opera]

This domain and all content is a copy of my old website, for historical purposes only.