I can not believe it how many times did i stumble upon these stupid UTF-8 BOMs. At work we actually have a script which is part of the build cycle and makes sure we do not have any UTF-8 BOMs in our files.
First of all Byte Order Mark is a set of bytes at the beginning of a file that is added to indicate what unicode encoding is inside of the file. The only problem is that it does not matter for UTF-8 because UTF-8 does not have problem of byte order issues! Some editors and tools keep on adding UTF-8 BOM and it takes time to figure it out! oh man does it!?
The latest version of Firefox 3.6 does not work with Zend Studio Toolbar which is necessary to use debugging and profiling in Zend Studio for Eclipse. There is a working solution though :)
Some nice people prepared modified xpi file which can be downloaded and installed with firefox 3.6. It works like a charm.
In my opinion "JavaScrip: the good parts" is a good book. It is a little bit different than other books i have read so far but it contains a few great fragments and just for that reason it is worth reading it.
Finally i got a book that is truly worth recommending! It is a very good book and i think every web developer should read it.
Book is a sort of a continuation of another good book High performance websites but to be honest i think i like this one more.
Book is very condensed, there is no wasted page in it. Information is well structured and you can see that authors prepared well for the publishing. Information is backed by a decent research and some of the tricks are really cool.
I am happy to present the first release of Ultimate web encoder.
So lately i thought 'how about i do it once and for all', and this is how Ultimate web encoder came to live : )
It is a free online tool that will let you build a chain of transformations with a few simple frag and drops. It will also allow to apply the transformation multiple times as you do not even reload the page. Its all AJAX under the hood.
when you think of it at first it sounds like a great idea. All you have to do is set a global cookie for the main domain and based on that perform authentication. User will be able to go from subdomain to dubdomain and still remain authenticated.
Unfortunately there is second side to this story : )
I just came across a very nice example of how to track external clicks on your website.
To prevent XSS you will have to escape all the strings coming from GET/POST/COOKIES before you output them. You should escape things that come from other sources as well in case there is XSS attack string (for example dont include posts from RSS without escaping them properly).
When i say you should not generate CSS files dynamically i mean actually you should not put PHP variables into it.
From my experience it causes all sorts of problems from security to performance and caching. If you do not have to do it just don't. You cant still merge CSS files to have less requests per page and this is fine, but do not generate each file dynamically just join them and make sure its a safe way to do so.
Some websites validate some bits and pieces but fail in other cases assuming that user will not pass anything strange there.
French OS Con website is and example of that XSS security risk.
The simplest way to find XSS security hole is to look for forms and ajax calls that result in printing request parameters on the returned page.
Here is some simple example which took 5 mins to find. Just go to a website you want to verify and look for forms and action urls.
This example shows UCD website XSS vulnerability (possible in 2010).
This is a sample to show how to locate XSS attacks, do not try to hack sites this way
Cross site scripts lead to a number of security issues. The most important to remember are:
- Session Hijacking - hacker steals user's session by getting his cookies and gets access to user's account
- Cross Site Forgery Request - hacker uses users account to perform operation that was not intended at all
It is a simplified version of firebug but the good thing is that it works in any browser so you can use debigging and inspecting of your code and pages in any browser in the same way.
I was working on the back button support and bookmarkability of one of my galleries and by accident i have noticed there is a slight difference in behavior.
I wanted to change the url to differnet page but preserving the hash at the same time.
I wanted to jump on some event from page