Simon Willison’s Weblog

Major IE8 flaw makes ’safe’ sites unsafe. IE8 has an XSS protection feature which rewrites potentially harmful code in HTML pages—I think it looks for suspicious input in query strings which appears to have been output directly on the page. Unfortunately it turns out there’s a flaw in the feature that can allow attackers to rewrite safe pages to introduce XSS flaws. Google are serving all of their pages with the X-XSS-Protection: 0 header. Until the fix is released, that’s probably a good idea.

# 3:34 pm / xss, ie8, security, xssfilter, microsoft, vulnerability

IE 6 and 7 hit by hack attack code. IE6 and 7 have what looks like a buffer overflow vulnerability caused by a strange intersection of CSS, innerHTML and large JavaScript arrays. No exploits in the wild yet but it’s only a matter of time.

# 3:38 pm / ie6, ie7, microsoft, security

jQSlickWrap. Clever jQuery plugin which allows text to wrap around irregularly shaped images, by processing the image with canvas and rewriting it as a sequence of floated horizontal bars of different widths. It’s a a modern variant of the the ragged float trick first introduced by Eric Meyer.

# 7:44 am / float, css, jquery, canvas, eric-meyer

django-batch-select (via) A smart attempt at solving select_related for many-to-many relationships in Django. Add a custom manager to your model and call e.g. Entry.objects.all()[:10].batch_select(“tags”) to execute two queries—one pulling back the first ten entries and another using an “IN” query against the tags table to pull back all of the tags for those entries in one go.

# 4:19 pm / batchselect, django, python, orm, manytomany, sql, selectrelated, john-montgomery

Negative Cashback from Bing Cashback (via) Some online stores show you a higher price if you click through from Bing—and set a cookie that continues to show you the higher price for the next three months. It’s unclear if this is Bing’s fault—comments on Hacker News report that Google Shopping sometimes suffers from the same problem (POST UPDATED: I originally blamed Bing for this).

# 9:24 pm / cookies, bing, microsoft, google, affiliates

Hacker News thread on Negative Cashback. Is it common practice for online stores with affiliate referral schemes to artificially inflate their prices if they’re going to have to pay out a referral bonus?

# 9:44 pm / hacker-news, affiliates, referrals, cashback

Woof—simply exchange files (via) Ultra simple file sharing for local networks: run “woof filename” to start a local web server which will serve up that file, just once, and then terminate. Can also serve up an entire directory as a compressed archive. Written in Python, as a single script which you can drop in to your ~/bin. “woof -s” serves the script itself, so you can easily pass it to someone who has a file you want.

# 8:44 am / woof, python, filesharing, commandline

Request Routing With URI Templates in Node.JS. I quite like this approach (though the implementation is a bit “this” heavy for my taste). JavaScript has no equivalent to Python’s raw strings, so regular expression based routing ala Django ends up being a bit uglier in JavaScript. URI template syntax is more appealing.

# 9:06 am / uritemplates, javascript, node, python, django, regex

LABjs: new hotness for script loading. Created in collaboration with Steve Souders, LABjs is a JavaScript loading library which makes it easy to have scripts download in parallel while still ensuring that they execute sequentially where required to ensure dependencies are met. It’s unclear how you would decide to use this over concatenating all scripts together in to a single file.

# 12:28 pm / labjs, javascript, loading, steve-souders, script, performance

flXHR. I was looking for something like this recently, glad to see it exists. flXHR is a drop-in replacement for regular XMLHttpRequest which uses an invisible Flash shim to allow cross-domain calls to be made, taking advantage of the Flash crossdomain.xml security model.

# 12:52 pm / flash, swf, flxhr, xhr, ajax, javascript, crossdomain

CouchDB View Cookbook for SQL Jockeys. This demystified CouchDB views for me. From “CouchDB: The Definitive Guide”, the free online manual.

# 1:20 pm / couchdb, views, cookbook, sqll

Perl: Love it, or hate it, but don’t ignore it. Phillip Smith calls me out for omitting Perl from my list of Node.js event loop alternatives (I only mentioned Twisted and EventMachine). No conspiracy here, I’m just not connected enough to the Perl community to know what the popular event loop libraries are. To Perl’s credit, Perlbal was the first piece of software I saw that showed me how a single threaded, event loop based system could massively outperform a threaded alternative.

# 7:51 am / perl, perlbal, node, eventloop, eventio, async, twisted, eventmachine

Djangopeople JSON parser. Awesome—Andy McKay has compensated for the lack of an official DjangoPeople API by creating a JSONP screen scraped API and hosting it on App Engine. As far as I’m concerned this is an officially supported feature—I’ll make sure future site changes don’t break it, and when I do add an API I’ll try to keep it compatible and help Andy set up redirects.

# 11:29 am / django-people, andy-mckay, api, appengine, json, jsonp, django, python

CCD. Joe Gregorio on the growingly ubiquitous and disruptive nature of CCDs. If everything has a camera attached to it, what problems can we solve (and what new problems do we introduce)?

# 9:08 am / joe-gregorio, ccd, sensors, disruptive

Haystack 1.0 Final Released. I’ve used Haystack on a number of projects recently, and it has proved itself as a completely painless way of adding full-text search (using Solr or Whoosh—I haven’t tried the Xapian backend yet) to a Django ORM powered project in just a few minutes. Congratulations, Daniel + contributors.

# 8:07 am / django, haystack, daniel-lindsley, search, solr, whoosh, python