Simon Willison’s Weblog

Google’s undocumented favicon to png convertor (via) Showing the favicon of a domain next to a link is a really nice trick, but it’s slightly tricky to achieve as IE won’t display a .ico file if you link to it from an img element, so you need to convert the images server-side. This undocumented Google API does that for you, meaning it’s much easier to add favicons as a feature to your site. # 30th August 2008, 8:40 pm

addSizes.js: Snazzy automatic link file-size generation. Posted to Nat’s snazzy new blog: a script that uses my json-head API to grab the file size of linked documents on a page and insert those sizes in to the document. # 30th August 2008, 10:39 am

cascadenik: cascading sheets of style for mapnik. Great idea. Mapnik (the open source tile rendering system used by OpenStreetMap and others) has a complex style configuration based on XML. Michal Migurski has build a CSS-style equivalent which compiles down to XML, hopefully making it much quicker and easier to get started with Mapnik customisation. # 30th August 2008, 10:04 am

WolfenFlickr 3D—An unlikely mashup. Brilliant: Wolfenstein 3D style raycasting in JavaScript with images on the walls that have been pulled in using Flickr’s JSONP API. # 29th August 2008, 10:24 am

Coding Horror: Protecting Your Cookies: HttpOnly. Jeff Atwood discovers the hard way that writing an HTML sanitizer is significantly harder than you would think. HttpOnly cookies aren’t the solution though: they’re potentially useful as part of a defense in depth strategy, but fundamentally if you have an XSS hole you’re going to get 0wned, HttpOnly cookies or not. Auto-escape everything on output and be extremely cautious with things like HTML sanitizers. # 29th August 2008, 2:01 am

Capital Radio’s London Guide. Worth pointing out: the search / map interface on this page is one of the best examples of progressive enhancement I’ve ever seen. Try disabling JavaScript and see what happens. It seems like most developers just can’t be bothered with this kind of attention to detail these days, which disappoints me. # 29th August 2008, 1:48 am

How to use Google Code’s code review tool. I missed this, but Google Code now has a pleasantly simple code review system built in to the source code browser. You can add comments to any changeset, including annotations attached to individual lines of code. # 28th August 2008, 4:25 pm

Capital Radio (the new site). Launched today, this is the Django-powered project I’ve been working on with the fantastic team at GCap. # 28th August 2008, 2:47 pm

FriendFeed Blog: Simple Update Protocol. FriendFeed infamously poll RSS feeds on the 43 services they support millions of times an hour in an effort to keep their content as real-time as possible. SUP is a new proposal by FriendFeed for a sort of “master feed” of changes to a site—instead of hitting the Flickr feed for each of their users they would just poll Flickr’s SUP feed every minute or so to find out who had uploaded a new photo, and only retrieve the RSS feed for those users. # 28th August 2008, 12:16 pm

Using Akismet with Django’s new comments framework. A nice example that demonstrates two features that were recently rolled in to the Django 1.0 betas: the new signals library and the new comments framework. # 28th August 2008, 10:12 am

URLsafe base64 encoding/decoding in two lines. A much better solution than my base65 hack—if you understand how base64 padding works (I didn’t) you can use it to generate URL-safe compressed hashes. Performance should be significantly better than my version. # 28th August 2008, 9:57 am

Django snippets: Sign a string using SHA1, then shrink it using url-safe base65. I needed a way to create tamper-proof URLs and cookies by signing them, but didn’t want the overhead of a full 40 character SHA1 hash. After some experimentation, it turns out you can knock a 40 char hash down to 27 characters by encoding it using a custom base65 encoding which only uses URL-safe characters. # 27th August 2008, 10:18 pm

Django 1.0 beta 2 released! 1.0 draws ever closer. Important new features include major documentation and comment system refactorings, plus the removal of a bunch of deprecated code (including oldforms). Feature and string freezes are now in place, so it’s just bugs and documentation improvements between now and the final release. # 27th August 2008, 2:41 pm

Django 1.0 release party. The big ass-party will be at the Tied House in Mountain View on Saturday the 6th from 7pm. RSVP on the linked announcement. # 27th August 2008, 12:07 pm

json-tinyurl. Because sometimes you want to be able to create a shorter version of a URL directly from JavaScript without hosting your own server-side proxy. # 27th August 2008, 10:58 am

Gears for Safari Beta. “Chances are it will break your browser. Please proceed with caution.” # 26th August 2008, 4:27 pm

Flickr Developer Blog: API Responses as Feeds (via) Flickr API calls that return a “standard photos response” (e.g. flickr.photos.search and flickr.favorites.getList) can now output eight different feed formats as well, including Atom, RSS flavours, geoatom, geordf and KML. Error codes are returned as X-FlickrErrCode HTTP headers. # 25th August 2008, 10:20 pm

Oxford Geek Night 8—27th August 2008. Once again in the Jericho Tavern, this time with a musical theme. # 25th August 2008, 9 pm

“You’re No One If You’re Not On Twitter”. The inevitable Twitter song by Ben Walker (@ihatemornings), the resident troubadour at the Oxford Geek Nights. Go along on Wednesday to see him live! # 25th August 2008, 8:59 pm

jeresig’s sizzle. Sizzle is a new selector engine (work in progress, no IE support yet) from John Resig, designed to be small, standalone, library agnostic and ridiculously fast. It should eventually replace jQuery’s current selector engine, but if it stays around 4KB it’s also going to be really useful for projects that don’t need the overhead of a full library. # 24th August 2008, 11:41 pm

Django documentation (for 1.0). The documentation refactor is in: the docs for the upcoming 1.0 release have been tidied up, rearranged and ported to a new documentation system based on Sphinx (the Python documentation toolkit, NOT the full-text search engine). The URL has also changed to docs.djangoproject.com. # 24th August 2008, 10:49 am

The Python Property Builtin. The always-educational Adam Gomaa explains the Python property built-in and shows how it can be used to improve Django’s model-based URL generation. # 23rd August 2008, 1:08 pm

Film + Food & drink | guardian.co.uk (via) The Guardian’s publishing system supports tag intersections based on the URL; this page shows all film stories that also mention food. There’s even an RSS feed. # 23rd August 2008, 11:18 am

Tip: Configure SAX parsers for secure processing. Explains the billion laughs attack, among others. # 23rd August 2008, 11:12 am

DoS vulnerability in REXML. Ruby’s REXML library is susceptible to the “billion laughs” denial of service attack where recursively nested entities expand a single entitity reference to a billion characters (kind of like the exploding zip file attack). Rails applications that process user-supplied XML should apply the monkey-patch ASAP; a proper gem update is forthcoming. # 23rd August 2008, 11:11 am

TraceMonkey. Brendan Eich has been preaching the performance benefits of tracing and JIT for JavaScript on the conference circuit for at least a year, and the results from the first effort to be merged in to Mozilla core are indeed pretty astounding. # 22nd August 2008, 11:13 pm