Simon Willison’s Weblog

Items tagged javascript in Jun, 2008

Filters: Year: 2008 × Month: Jun × javascript ×


Javascript protocol fuzz results. If your HTML sanitizer uses blacklisting rather than whitelisting here are a few more weird ways of injecting javascript: in to a link that you need to worry about—but you should really switch to whitelisting http:// and https:// instead. # 30th June 2008, 3:57 pm

Module Pattern Provides No Privacy... at least not in JavaScript(TM) (via) JavaScript variables hidden inside a closure aren’t as hidden as I thought—it turns out you can pass a closure as the second argument to eval (at least in Firefox) and “steal” private variables back out of it. # 27th June 2008, 7:01 pm

BUG: XSS Security flaw in BaseCamp Messages (via) BaseCamp lets users include HTML and JavaScript in messages, on the basis that anyone with a BaseCamp account is a trusted party. I’m not convinced: you could use this to circumvent BaseCamp’s access control stuff and read messages you’re not meant to. On the flip side, you could also use this to add brand new features to BaseCamp by using JavaScript in a message as a server-side equivalent to Greasemonkey. # 26th June 2008, 9:39 am

jsontime. Nat and I threw this together this morning—it runs on Google App Engine and exposes Python’s pytz timezone library over JSONP. # 21st June 2008, 7:07 pm

When Bugs Collide: Fixing Text Dimming in Firefox 2. Handy tips from Drew on fixing the glitchy text rendering in Firefox 2 when you animate opacity without breaking alpha-transparent PNGs in IE6. # 19th June 2008, 6:09 pm

Deep Profiling jQuery Apps. Neat plugin from John Resig that monkey-patches most (all?) of the jQuery methods to build up a detailed profile of which methods are being used by a given page. # 16th June 2008, 10:20 am

Spicing Up Embedded JavaScript. John Resig collects the various ways in which a JavaScript interpreter can be hosted by Python, PHP, Perl, Ruby and Java. There are full JS implementations in PHP, Perl and Java; Ruby and Python both have modules that use an embedded SpiderMonkey. # 15th June 2008, 11:32 am

Is It OK to Require JavaScript? Not if you can avoid doing so. Unobtrusive JavaScript really isn’t hard if you design it in from the start, and since stackoverflow is a community forum / questions and answers site I have trouble imagining a feature that can’t be made to work without JavaScript. # 10th June 2008, 6:41 am

OS OpenSpace from Ordnance Survey (via) Ordinance Survey now provide a free JavaScript mapping API for “non-commercial purposes” by “private individuals”. The maps look incredibly detailed, although I can’t find any live API demos on the site (the documentation is illustrated with screenshots). # 9th June 2008, 8:30 am

Updated jQuery Bookmarklet. Nicer than my own “Inject jQuery” bookmarklet because it drops in a temporary message confirming that jQuery has been imported (or telling you that jQuery was already present). # 8th June 2008, 8:46 pm

An interview with 280 North on Objective-J and Cappuccino. Fantastic comment thread with involvement from the guys who created Objective-J. Just like Objective-C, Objective-J is a preprocessor that runs against regular JavaScript source files so you can use JavaScript and Objective-J idioms interchangeably. # 7th June 2008, 7:40 pm

280slides and Objective-J. 280 slides uses an Objective-C clone written in 13KB of JavaScript. I have to admit I’m completely baffled as to why you would want to use Objective C instead of JavaScript, but evidently it worked fantastically well for them. # 7th June 2008, 4:09 pm

SquirrelFish. WebKit’s JavaScript engine was no slouch, but that hasn’t stopped them from replacing it with a brand new “register-based, direct-threaded, high-level bytecode engine, with a sliding register window calling convention”. It runs 1.6x faster and has the Best Logo Ever. # 3rd June 2008, 7:57 am