Web Info & Tutorials

People like to moan about IE, and often don’t have anything to back it up. “IE sucks” doesn’t count.

Alex Russell, on the other hand, has written about how IE mangles the design of JavaScript libraries such as Dojo. His list both shows us the methods to the madness, informs us on the issues, and hopefully wakes up the powers that be to make sure that this items are fixed in IE 8 :)

Array’s Can’t Be Usefully Subclassed (test case)

Arrays without a working length property are nearly useless, and JScript mangles the design of toolkits as a result.

I think it’s safe to say that both Dojo and jQuery would subclass Array directly to save code, were it a reasonable thing to do.

Where Art Thou Getters/Setters?

Instead of providing the natural property-oriented behavior, it forces class authors to write getSomeProperty/setSomeProperty method pairs on their classes should they want to do anything when values are gotten or set. The resulting code feels a lot more like Java than JavaScript, which is usually a sign that something is horribly wrong in a browser.

I have some hope that we could see getters and setters for JScript in the near future. It won’t matter much, though, unless the JScript team ships their new engine to all IE versions when they release IE 8. Not bloody likely.

Performance

Kudos are in order to the JScript team for fixing their long-b0rken GC heuristic and pushing it out to everyone…but it’s the tip of the iceberg.

Performance is one of those areas where differences in implementations can tightly circumscribe what’s possible despite exacting spec conformance. On this front, JScript’s raw VM-level execution time leaves a lot to be desired, but the true travesties really show up when you hit the DOM for computed style information or try to do anything reasonably complicated that involves string operations.

Across the board, from DOM performance to raw JScript execution speed, IE is a dog, and the odds are good that whatever toolkit you’re using spends a lot of time working around that reality.

Doctype Switching

Instead of giving devs fine-grained layout system control, IE makes it all-or-nothing. The global flag approach backs toolkit developers into doing script-based layout calculations or “just throw it in another div” solutions where we’d really rather not. Both are slow and both may be required since it’s completely impractical to dictate to users which doctype they’ll be using. While any app may be able to be disciplined enough to not care, toolkit developers must work everywhere. Hilarity ensues.

I fear this is going to get even worse with IE8 as the IE team looks to implement some of HTML 5 and hopefully many of CSS 2.1’s clarifications. The sooner they abandon the global switch, the better…but I’ll wager it’s pain they just don’t feel. Building a browser is a very different pursuit from building portable apps to run inside it.

HTC’s Can’t Be Inlined (Even With Hacks)

Modern browsers have built-in widget systems. On IE, it’s HTCs + Viewlink and on Firefox it’s XBL. Even a cursory reading through the docks for both is enough to illuminate the gigantic overlap. Alas, no one is yelling at them to standardize and the result is a terrible mess in which both sub-optimal formats limp along with nearly zero Open Web usage.

So why do I single out IE for whipping here when XBL is just as lame and similarly b0rken with regards to single-file embedding? Well, on Mozilla, you have a lot more “outs”. I strongly suspect that you can use “data:” urls to generate and evaluate component definitions for FF, which would enable compiling down from a single (more sane) format in the running page environment. IE prevents any such useful code-loading approaches.

John Resig has written up documentation of Cross-Site XMLHttpRequest that discusses the W3C Access Control working draft which Firefox 3 implements.

He gives us a nice example:

In a nutshell, there are two techniques that you can use to achieve your desired cross-site-request result: Specifying a special Access-Control header for your content or including an access-control processing instruction in your XML.

In HTML:

PLAIN TEXT

PHP:

1.  
2. <?php header('Access-Control: allow <*>'); ?>
3. <b>John Resig</b>
4.  

In XML:

PLAIN TEXT

XML:

1.  
2. <?xml version="1.0" encoding="UTF-8"?>
3. <?access-control allow="*"?>
4. <simple><name>John Resig</name></simple>
5.  

And the XHR code itself isn't different from any other XHR code:

PLAIN TEXT

JAVASCRIPT:

1.  
2. var xhr = new XMLHttpRequest();
3. xhr.open("GET", "http://dev.jquery.com/~john/xdomain/test.php", true);
4. xhr.onreadystatechange = function(){
5.   if ( xhr.readyState == 4 ) {
6.     if ( xhr.status == 200 ) {
7.       document.body.innerHTML = "My Name is: " + xhr.responseText;
8.     } else {
9.       document.body.innerHTML = "ERROR";
10.     }
11.   }
12. };
13. xhr.send(null);
14.  

Some are excited to see the cross domain work, and some are concerned.... e.g.

I agree with Thomas. I never understood the NEED to modify the client security model to allow for this. If this is something the software needs to do, then the developer can implement a proxy on the server side. At least in this way the developer has sole discretion on the connections. Just more to go wrong if you ask me.

-

I'm still under the impression - and correct me if I'm wrong - that all these means are tailored to protect the server and its documents. But I thought the issue was to protect the client!

-

What exactly is the reason we need this? Has anybody here really understood why XMLHttp is currently limited to one host and cannot communicate cross-domain? I really do not understand that. If XMLHttp cannot do this by default, why it is still possible to load scripts and images from other servers? Why can I do exactly the same type of cross-domain communication using Flash, maybe using Silverlight in the future? What is the original reason for this limitation? Is this documented anywhere?

If, as mentioned in the spec, HTTP DELETE is problematic, because it may delete data, why cannot we filter such actions when detecting a cross-domain communication? GET and POST are possible in the same way when submitting simple form. It is even possible to generate these form elements dynamically. And this also works cross-domain. At least these two HTTP methods should be enabled by default to allow cross-domain communication. The open web, as often mentioned by Alex Russell, really needs features comparable with closed source software e.g. Flash or Silverlight.

-

I agree with those saying that this spec is misguided. But bothering users too much is also not good. How are they to know in every case what things mean?

What do you think?

A couple of good articles on XSS and security came out at the same time. One talks about XSS in Flash, and the other on Rails:

XSS Vulnerabilities in Common Shockwave Flash Files

Rich Cannings has written an article explaining the issue of XSS wrt Flash:

Critical vulnerabilities exist in a large number of widely used web authoring tools that automatically generate Shockwave Flash (SWF) files, such as Adobe (r) Dreamweaver (r), Adobe Acrobat (r) Connect (tm) (formerly Macromedia Breeze), InfoSoft FusionCharts, and Techsmith Camtasia. The flaws render websites that host these generated SWF files vulnerable to Cross-Site Scripting (XSS).

This problem is not limited to authoring tools. Autodemo, a popular service provider, used a vulnerable controller SWF in many of their projects.

Simple Google hacking queries reveal that hundreds of thousands of SWFs are vulnerable on the Internet, and a considerable percentage of major Internet sites are affected. We are only reporting XSS vulnerabilities that have been fixed by the vendors.

He talks through tools that cause the issue, and then solutions on how to keep yourself safe.

Is your Rails site XSS safe?

Stu Halloway of Relevance has written about SafeErb and how he got it working on a Rails 2.0 application. He kept notes as he went through the experience, allowing us to learn from his acts.

What is SafeErb?

Safe ERB lets you make sure that the string written by "<%= %>" in your rhtml template is escaped correctly. If you try to show the attributes in the ActiveRecord instance read from the database or the parameters received from the request without escaping them using "h" method, an exception will be raised. This will significantly reduce the possibility of putting cross-site scripting vulnerability into your web application.

The check is done using "tainted?" method in Object class which is a standard feature provided by Ruby - the string is "tainted" when it is read from IO. When ERB::Util#h method is called, this plugin "untaints" the string, and when "<%= %>" is called in your rhtml template, it raises an exception if the string you are trying to show is tainted.

John Le histrion has been employed on a PHP support for a whatever years, and has today prepacked it as Simplicity:

The Simplicity PHP Application Framework is an advanced, ascendible and extensible PHP covering support to assistance developers in creating broad traffic, broad availability Web 2.0 online applications. Integrating a solidified MVC support with whatever of the prizewinning Open Source projects around Simplicity aims to support developers with some turn of undergo in attractive their applications to a newborn level.

You crapper intend to the cipher on the launchpad for the framework.

One essential example is the Ajax admin console, matured in Ext that allows a developer module be healthy to configure every aspects of their covering via the Ajax interface, this includes database moulding and the creation of record controllers, and modify the constituent of predefined actions to pace up development.