Scratch

It has come to my attention (quite directly) that the html of the rest of a scratch project page can be edited by entering special characters into the tags section which interfere with the html code  for the page. for instance, I entered

"> </div>

into the tags box, and when I reloaded the page, everything after the "add tags" that is usually above the place where you type in new tags, including "link to this project" and "more projects by ___" was moved to the bottom of the page, left justified, apparently removed from the div that keeps all of that stuff on the right side of the screen. this was amusing. I hoped that people wouldn't hate me hugely because I hacked it. but, this shows how weak and insecure the tags are. when you insert html into a comment, it doesn't show up. when you insert it into a tag though, it does. some ways to fix this problem may be discussed. I will show the html code segment for a tag:

//<![CDATA[
Event.observe('link1111111111', 'click', function(event) { new Ajax.Updater('tag-123','/projects/upgradeTag/222222/normal', {asynchronous:true, evalScripts:true, requestHeaders:['X-Update', 'tag-123']}) }, false);
//]]>
</script></span><span><a href="#" id="link333333333" onclick=" event.returnValue = false; return false;" title="flag this tag?">[flag]</a><script type="text/javascript">
//<![CDATA[
Event.observe('link333333333', 'click', function(event) { new Ajax.Updater('tag-123','/projects/markTag/222222/normal', {asynchronous:true, evalScripts:true, requestHeaders:['X-Update', 'tag-123']}) }, false);
//]]>
</script></span>            </span>
    </li>
        <li id="tag-4444">

    <span class="tag_size_1"><a href="/tags/view/tagname">tagname</a></span>
        
            <span class='tag_actions'>
                        <span><a href="#" id="link1111111111" onclick=" event.returnValue = false; return false;" title="affirm this tag?">[+]</a><script type="text/javascript">

where "tagname" is the name of the tag, and "1111111111", "222222", "333333333", "123", and "4444" are all just numbers, made up randomly, which all may or may not show up in one place but are all the same number of digits as the original one I found it in.


so, people, I challenge you to find a way to make it so that I cannot enter something into a tag and mess up the formatting, just like with a comment! it might be tricky because one of the things that is different is that the html used makes it so that people are able to change the inside of the "< a >" tags, which is different from comments [and project notes, etc.]

Here, discuss ways to fix this problem, so that neither a relatively inexperienced hacker or a person who just types something randomly inadvertently can change anything except for that one tag, if even that (some people tried changing sizes and colors before me)

I am not sure if I extracted the code right. I may have half-segments from two tags.