Tuesday, November 28, 2006

Posting sensitive data in JSON

If you are using JSON in AJAX, make sure not to put sensitive data in the JSON feed. Because script tags don't follow the same-origin policy, it's possible to include a script from third party sites.

Google's GData-JSON feeds (which I blogged about earlier) had just such an issue. Google allowed you to request a URL such as http://www.google.com/calendar/feeds/default/private/basic?alt=json-in-script. If you use Google calendar, take a look at that feed with the alt= part taken off. It likely has your email address, your full name, and possibly some sensitive events in it. Any site you visited could have requested that URL and scraped the data. Note that with more advanced techniques, it's possible to get data that doesn't use the callback, ie, array literals. See Jeremiah Grossman's blog

Luckily, this was fixed relatively quickly after I reported it.

Saturday, November 25, 2006

DomBuilder + Functional Programming == Awesome

The DOM sucks. It's so so slow to type document.createElement and document.createTextNode. One nice solution for this is DomBuilder which allows you to say:

 DIV({ id : "el_" + times, 'onclick' : 'alert("sdsdsd")'}, 
  STRONG({ 'class' : 'test' },"Lovely"), " nodes! #" + times

When using the DomBuilder in a project of mine, I found that it couldn't handle data very well. I had a list of items, and I wanted to make a table. There's no easy way to do that with DOMBuilder.

However, a bit of functional programming can save the day. Using Prototype, and adding the following line of code to tagFunc gets lots of millage:

arguments = $A(arguments).flatten ().compact ();

What is this doing? First, we turn arguments into an array so that we can handle it cleanly. Then we flatten any arrays (turn [a,[b,c]] into [a, b, c]) and then compact any null entries ([a,null,b,c] into [a,b,c]). What's the win? Now this library can handle data very elegantly:

var stocks = [{ name : "NOVL", price : 6.28 }, { name : "GOOG", price : 505.00 }];
document.body.appendChild($table (
   $tr ($th ("Name"), $th ("Price")),
   stocks.map (function (stock) {
       return $tr ($td (stock.name), $td (stock.price.toString ()));

Note the use of map to handle each of the stocks. Without the flatten, this would not have worked. It's pretty easy to build up HTML from data like this very elegantly.

Wednesday, November 22, 2006

Using GCal JSON to make a free/busy schedule

Lately, I seem to be getting lots of emails of the form "When are you free this week, I'd like to meet with you sometime". Each time I get this email, I have to go to my calendar, copy my appointments for the next week, and send it in a reply.

In an ideal world, I could just paste a link to my calendar in iCal format. Sadly, not enough people use a calendaring client for this to be reliable (and worse off, many of the people I interact with use the horror that is Oracle Calendar, which doesn't really handle external ical).

This week, Google added JSON output to their Google Calendar feeds. This allows me to make a pure-javascript solution to this problem. I created a bit of Javascript code (here) which loads my calendar in JSON format and tells the other person when I'm busy

It's nice to be able to only show a free-busy projection of my calendar (I don't want the world to know who I'm meeting with, where I am, etc at every moment. I also use the calendar as a place to dump event related date, for example, airline confirmation numbers). I also like that I only have to host a small static html page to do this. No figuring out where to put a PHP script, no SQL, just a bit of javascript


  • Handle multi-day events
  • Better date formatting (use day of week, month names, etc)
  • Combine events (If I'm busy from 10:30-11:30 and 11:30-12:30, I can just be busy between 10:30 and 12:30)
  • Not depend on prototype (or only take what I need)
  • Make it pretty

Monday, November 13, 2006

Now that javac is open source...

Maybe somebody (me?) can finally make a patch for this issue:

[bmaurer@omega ~]$ cat x.java
public class x {
        public static void main (String[] args) {
                System.out.println ("hello world");
[bmaurer@omega ~]$ time javac x.java

real    0m0.766s
user    0m0.604s
sys     0m0.040s

For the record, mcs has a time of:

[bmaurer@omega ~]$ time mcs x.cs

real    0m0.483s
user    0m0.440s
sys     0m0.024s

But Java is using a form of Ahead of Time compilation (they call it class file sharing or something) while my MCS is not.

Wednesday, November 01, 2006

Don't echo back plain text passwords

Today I found two nice little security issues on an e-commerce site I use. First, the site has a page that allows you to change passwords. The code on the page is of the form <input type="password" name="password" value="MY PASSWORD IN PLAIN TEXT">. Secondly, the site had some Cross Site Scripting issues. At the end of the day, it was drop-dead easy to phish for people's passwords. Yikes.

Never, ever, ever echo sensitive data back to the user. It makes an XSS attack really damaging (and is also bad if somebody leaves their computer unlocked).