avatar

weekends are for leisure

Tag stripping not sufficient to prevent JavaScript injections

March 28, 2012 · 2 minute read · Tags: javascript , php , programming

In the PHP world, solely relying upon PHP’s strip_tags() function to protect your web application from JavaScript injections is a bad idea. If you do, you may be vulnerable in even the most recent browsers (I tested in Chrome 17.0.963.83, Firefox 9.0.1 and Internet Explorer 9). There may be parallels in other languages too, so beware. You’ll be vulnerable if the following are true: You’ve got a webapp that accepts user input You use strip_tags() or similar to sanitize fields You don’t explicitly remove less-than or greater-than characters from those fields (PHP’s strip_tags won’t remove a partial “<script” tag) Values from two or more of these fields are printed close to each other in the output HTML, with little or no markup between them The fourth item is tricky … The markup between the field values must not contain any quotes (the quotes would prematurely close the script tag injection attempt).
Continue reading

How to GitHub: Fork, Branch, Track, Squash and Pull Request

March 28, 2012 · 1 minute read · Tags: git , github , programming

If you get confused by non-simple Git workflows, this howto on git forking, branching, etc should help. Oh thank god! Branching I understood, but was clueless when it came to pushing up a specific branch. Rebasing too … reminds me of how we badly need a separate dev environment at work. Ugh. In all, a wonderful tutorial that helps you play along with others while programming.
Continue reading

Why French Parents Are Superior by Pamela Druckerman - WSJ.com

February 19, 2012 · 2 minute read · Tags: parenting

Here’s a Wall Street Journal article on Why French parents are superior. No, I’m far from having kids, but this was insightful nonetheless. Some noteworthy paragraphs: One of the keys to this education is the simple act of learning how to wait. It is why the French babies I meet mostly sleep through the night from two or three months old. Their parents don’t pick them up the second they start crying, allowing the babies to learn how to fall back asleep.
Continue reading

Not certain

January 16, 2012 · 1 minute read · Tags: environment , life

Watched a 2005 Oregon PBS special about forest management last night. Link here. Saw some old guys with lots of land and trees managing it with intelligence. They don’t clear-cut. They have a clue about genetics so they save the best trees and sell the others. Made me think: Damn that looks like fun, rewarding work! Especially the bits involving data collection. One guy kept detailed logs and found that his trees put on mass much faster later in life, but most loggers harvest before that point.
Continue reading

A dispatch from the Moose Ear Diner

December 12, 2011 · 1 minute read · Tags: games

Completed Puzzle Agent recently. It was such a fun game and luckily the sequel went on sale a few days after I finished it. The puzzles were a balanced mix of 10-second teasers, those where your only hope is to jump in and work through possible solutions, and those where you really need to pay attention. Aside from the puzzles, the other aspects of the game are no slouch either. The story draws you in and has quite a few surprises.
Continue reading

The Thin Man

November 28, 2011 · 1 minute read · Tags: movies

The Thin Man is a great movie. It’s filled with lovable characters, great pacing and a great plot. And of course I must mention the hilarious, witty protagonists. Luckily it’s only the first in a six-part film series. Looking forward to the rest!
Continue reading

Character encodings in practice

November 3, 2011 · 3 minute read · Tags: mysql , programming

Building upon Joel’s post on Unicode, here are some real-world tips relating to character encodings. Use them by name Always explicitly specify which encoding you want (perhaps UTF-8). Don’t assume the language or library/tool you’re using will make the right decision for you. If you value your time, don’t ignore this recommendation, otherwise you’ll likely spend lots more time patching things up in the future. A tale to drive this home
Continue reading

node.js FTP server

September 28, 2011 · 3 minute read · Tags: javascript , node.js , programming

Got to use node.js for a work project recently. We needed an FTP server with special user authentication that would run custom code after a file was uploaded. There was one node.js FTP server implementation on github, so I forked it and started rounding out the basic functionality. My fork is here. The first significant change I made was to encapsulate the data connection logic. File lists and file contents are transferred over the data connection (FTP commands and responses over the control connection).
Continue reading

Nature: Is that Skunk?

August 30, 2011 · 1 minute read · Tags: nature

Read linked content Caught an episode of Nature last night. Great as always. Spotted skunks …. my, what a coat! You can watch the full episode, just click the title of this post.
Continue reading

Lume Cabinet Lock Hint

August 25, 2011 · 1 minute read · Tags: games

If you play the game Lume you may get stuck at the cabinet lock. If so, don’t go to any other sites or you’ll accidentally see the answers like I did! Here’s a hint, instead. You found the “9#” clue, right? Go back to where you can see that clue on the screen. Everything you need for the lock is right there. That’s all I’ll say.
Continue reading

© 2024 - Released under the MIT licensePowered by Hugo with the Type Theme