Learning About Internet Security

Hidden Text in Web Pages

What You See Is Not All You Get (WYSINAYG) when it comes to hidden text in web pages. If you watch a movie, you will only see what the director wants you to see. You do not see the notes on how the lighting should be placed, or in what sequence the scenes were filmed, or other similar information that is not directly related to the storyline.

Although the same thing could be said to be true about the formatting instructions for web pages, "hidden text" is not unlike the director's notes to himself. These "notes" are used to keep the project organized and to apply additional information to future events. Some of this information may pertain to the "storyline," while other information may be strictly for the director's use.

"Hidden text" is text that is embedded into a web page and not displayed when the web page is displayed in a web browser. Hidden text may contain copyrights, supplemental form information, programming notes, etc. Scripting within a web page is not considered to be "hidden text."

If you have ever encountered a web page that makes a statement of some kind and then asks you to accept the statement in order to proceed, you have also encountered hidden text. In this case, rather than having you retype the statement into a form field and then submit your acknowledgement, the web developer will place the statement into hidden text. When you approve the statement, this hidden copy of the statement is sent along with your acceptance, saving you the trouble of having to retype the statement.

Another common use happens when the web developer wishes to display a custom online confirmation of the information you have just submitted using their online form. By including the name of the form in hidden text when it is submitted, the confirmation page can then read the name and customize itself accordingly by offering additional information and/or displaying different hyperlinks.

From a security standpoint, this presents a problem. It is possible for an online form to go and collect cookie information (if the web site uses cookies) and then to pass this information along with your form information without your being aware of it. Typically, this sort of thing is done to customize the types of advertisements you will be displayed. If you visit mostly fishing web pages, and the cookie has stored this information, future web pages displayed to you on this web site will probably display mostly fishing related advertisements.

Ethics is the only thing that requires a web site to let you know when they will be sending cookie information along with your form submittal. There are no laws that make this a requirement and it may be done without the web browser being aware of it, or notifying you about it. Even if you are notified that the cookie information will be included, it is not common practice to show you precisely what cookie information is being sent.

If you are considering "borrowing" something from a web site, and you don't see any obvious copyright information, do not assume that it is okay. The copyright information may be "hidden" in the HTML coding. If you want to take better precautions, click on the web page content that you wish to borrow, then right-click and choose "View Source." This will show you the HTML coding for the web page. Search through this coding for the copyright information.

In conclusion, hidden text is usually harmless however the potential for misuse exists. As with most Internet activities, use your common sense and if it seems suspicious, either investigate it or avoid it. Most activities can be performed without using hidden text and thus, many web developers do not use hidden text.

Next Month's Topic: Updating Your Web Browser

By Steve Duell
ASIS SFBA Webmaster