Blogmarks
Filters: Sorted by date
Coding Horror: Protecting Your Cookies: HttpOnly. Jeff Atwood discovers the hard way that writing an HTML sanitizer is significantly harder than you would think. HttpOnly cookies aren’t the solution though: they’re potentially useful as part of a defense in depth strategy, but fundamentally if you have an XSS hole you’re going to get 0wned, HttpOnly cookies or not. Auto-escape everything on output and be extremely cautious with things like HTML sanitizers.
Capital Radio’s London Guide. Worth pointing out: the search / map interface on this page is one of the best examples of progressive enhancement I’ve ever seen. Try disabling JavaScript and see what happens. It seems like most developers just can’t be bothered with this kind of attention to detail these days, which disappoints me.
How to use Google Code’s code review tool. I missed this, but Google Code now has a pleasantly simple code review system built in to the source code browser. You can add comments to any changeset, including annotations attached to individual lines of code.
Capital Radio (the new site). Launched today, this is the Django-powered project I’ve been working on with the fantastic team at GCap.
FriendFeed Blog: Simple Update Protocol. FriendFeed infamously poll RSS feeds on the 43 services they support millions of times an hour in an effort to keep their content as real-time as possible. SUP is a new proposal by FriendFeed for a sort of “master feed” of changes to a site—instead of hitting the Flickr feed for each of their users they would just poll Flickr’s SUP feed every minute or so to find out who had uploaded a new photo, and only retrieve the RSS feed for those users.
Using Akismet with Django’s new comments framework. A nice example that demonstrates two features that were recently rolled in to the Django 1.0 betas: the new signals library and the new comments framework.
URLsafe base64 encoding/decoding in two lines. A much better solution than my base65 hack—if you understand how base64 padding works (I didn’t) you can use it to generate URL-safe compressed hashes. Performance should be significantly better than my version.
Django snippets: Sign a string using SHA1, then shrink it using url-safe base65. I needed a way to create tamper-proof URLs and cookies by signing them, but didn’t want the overhead of a full 40 character SHA1 hash. After some experimentation, it turns out you can knock a 40 char hash down to 27 characters by encoding it using a custom base65 encoding which only uses URL-safe characters.
Django 1.0 beta 2 released! 1.0 draws ever closer. Important new features include major documentation and comment system refactorings, plus the removal of a bunch of deprecated code (including oldforms). Feature and string freezes are now in place, so it’s just bugs and documentation improvements between now and the final release.
Django 1.0 release party. The big ass-party will be at the Tied House in Mountain View on Saturday the 6th from 7pm. RSVP on the linked announcement.
json-tinyurl. Because sometimes you want to be able to create a shorter version of a URL directly from JavaScript without hosting your own server-side proxy.
Gears for Safari Beta. “Chances are it will break your browser. Please proceed with caution.”
Flickr Developer Blog: API Responses as Feeds (via) Flickr API calls that return a “standard photos response” (e.g. flickr.photos.search and flickr.favorites.getList) can now output eight different feed formats as well, including Atom, RSS flavours, geoatom, geordf and KML. Error codes are returned as X-FlickrErrCode HTTP headers.
Oxford Geek Night 8—27th August 2008. Once again in the Jericho Tavern, this time with a musical theme.
“You’re No One If You’re Not On Twitter”. The inevitable Twitter song by Ben Walker (@ihatemornings), the resident troubadour at the Oxford Geek Nights. Go along on Wednesday to see him live!
jeresig’s sizzle. Sizzle is a new selector engine (work in progress, no IE support yet) from John Resig, designed to be small, standalone, library agnostic and ridiculously fast. It should eventually replace jQuery’s current selector engine, but if it stays around 4KB it’s also going to be really useful for projects that don’t need the overhead of a full library.
Django documentation (for 1.0). The documentation refactor is in: the docs for the upcoming 1.0 release have been tidied up, rearranged and ported to a new documentation system based on Sphinx (the Python documentation toolkit, NOT the full-text search engine). The URL has also changed to docs.djangoproject.com.
The Python Property Builtin. The always-educational Adam Gomaa explains the Python property built-in and shows how it can be used to improve Django’s model-based URL generation.
Film + Food & drink | guardian.co.uk (via) The Guardian’s publishing system supports tag intersections based on the URL; this page shows all film stories that also mention food. There’s even an RSS feed.
Tip: Configure SAX parsers for secure processing. Explains the billion laughs attack, among others.
DoS vulnerability in REXML. Ruby’s REXML library is susceptible to the “billion laughs” denial of service attack where recursively nested entities expand a single entitity reference to a billion characters (kind of like the exploding zip file attack). Rails applications that process user-supplied XML should apply the monkey-patch ASAP; a proper gem update is forthcoming.
TraceMonkey. Brendan Eich has been preaching the performance benefits of tracing and JIT for JavaScript on the conference circuit for at least a year, and the results from the first effort to be merged in to Mozilla core are indeed pretty astounding.
Visualization Strategies: Text & Documents. “List of ...” style posts usually make me want to stab someone with a fork; this is how that kind of post should be done—well researched, carefully written and, most importantly doesn’t call itself a “Top X Ys that will Z your ZZ”!
Get Lat Lon now has a “Get my location (by IP)” button. It took all of five minutes to add using the new google.loader.ClientLocation API. The button is only visible if your location can be resolved.
Gears API Blog: Gears 0.4 is here! New features are Geolocation, a Blob API for dealing with arbitrary binary data, onprogress() events for tracking HTTP downloads and uploads (meaning progress indicators) and the built-in Gears dialogs localized to 40 languages.
Google Code Blog: Two new ways to location-enable your web apps. The Gears Geolocation API isn’t very exciting just yet as it only really works on windows mobile devices, but the new google.loader.ClientLocation Ajax API is great—it gives you the user’s location based on looking up their IP address, saving you from needing to install a IP-to-geo lookup database.
django-timezones. Models, form fields and a template filter for dealing with timezones in Django.
Persistent Django on Amazon EC2 and EBS—the easy way. Useful tutorial on getting Django up and running on EC2 with EBS for a persistent PostgreSQL database.
Package Management Sudoku. "A package management system that can solve Sudoku based on package dependency rules is not something that I think would be useful or worth having" - like a red flag to a bull. (Internet Archive)
Amazon Elastic Block Store (EBS). EC2 just got a whole lot more useful—you can now create “block level storage volumes” (think virtual hard drives) and mount them to an EC2 instance for real persistent storage—but because they’re virtual you can clone them, snapshot them and benefit from automatic replication.