That's not true. The same byte sequence is either valid UTF-8 or it isn't. One of UTF-8's distinguishing features is that you can tell with fairly high probability whether a sequence of bytes is valid UTF-8 or not. Unlike (say) ISO-8859-1, which could be ISO-8859-2. You can't (easily) distinguish without human intervention.
The fact that the site declares itself to be both UTF-8 and iso-8859-1 is just ludicrous however.
I actually did one of those comments a few days ago. There wasn't a better way to do a particular piece of code, so I put the comment in "// This is ugly, but there isn't a better way to do it.". It's a note to myself and future developers not to bother trying to fix an insignificant ugly piece.
Which is absolutely fine, just so long as you explained why in the next sentence. Or preferably three. As somebody above mentioned, comments should explain the why, not the how.
Much like commit messages, but that's a rant for another day
I need to schedule a meeting with 20 people, and book a conference room.
Don't you have some work to do, instead of wasting everybody else's time? Seriously, a meeting with 20 people, you might as well go to the pub, it'd be at least as productive.
This is really just good practise. If you have to move from your workstation to admin a machine, then it had better be on fire or something. It still surprises me to see quite how incapable most PC type servers are (in terms of remote management), after working for years on Sun equipment.
Even getting people to install a CD shouldn't be necessary. Get JumpStart set up, and boot from the network. This reduces your hosting support people to "reboot computer" tasks, which even they should be capable of.
Its you silly English people who name us "the dutch", and our country either "The Netherlands" or even worse "Holland". We name ourselves (as a country) "Nederland", which is inhabited by "nederlanders".
Listen, you can't expect us to pay attention to your nationalistic whimsies. It's been centuries since we've had a King from over there. These days, we purchase all our royalty from Germany. And we only have one name for them, even if it is wrong.
I hope that James Clark will be able to help correct the situation.
In case you haven't heard of James Clark, he wrote groff (for displaying man pages amongst other things), XSLT, the expat XML Parser and the Relax NG schema language. I'd be very surprised if anybody here hasn't used his stuff... Take a look at his bio.
I don't have a problem, I audit my code for XSS and filter anything intended for display in a browser.
Good for you! Now what about the 99% of developers who don't?
<meta name="scripting" content="FORCE_DISABLE"/>
Looks lovely. Now how are you going to get that installed into the existing browser base?
CSRF is another problem and the only solution at this time is to have your users disable scripting.
I was under the impression that you could tackle CSRF on the server side by doing enough validation to ensure that what you're getting back is what you sent out in the first place. e.g. by specifying a token that you generated as part of the form.
How many "web" templating systems do you know that automatically escape HTML unless told otherwise? I know of one that can be made to do so: Mason. Even then, you have to enable it, as it's not turned on by default.
What about PHP, ASP, JSP and so on? Will they ever grow up and automatically escape HTML by default? I doubt it very much.
In the meantime, there's always mod_security if you're willing to invest the time configuring it. But it's no guarantee...
I really, really recommend picking up a copy of The Atlas of Middle earth and keeping it handy whilst reading any of Tolkiens works. It's a superb attempt at documenting the lay of the land from Arda to the Shire. It was reviewed a while back on slashdot...
If people used profilers a bit more, there'd be a lot fewer programmers wasting their time out there. You don't know where the problems are until you've profiled it!
-Dom
Re:Soon to be obsoleted by Airways for Python
on
Ruby For Rails
·
· Score: 1
Part of the problem with XSS is that pretty much every single web development tool out there has the wrong defaults. When you build a page in a templating system, anything that you insert into that template should be HTML escaped by default. Of course, you need an easy way to turn that off. But that simple act would probably fix 99% of holes out there.
For example, in HTML::Mason, I've set it up so that this:
<% $foo %>
gets escaped, whilst this does not.
<% $foo |n %>
The question remains -- why are we putting up with such poor behaviour from our tools? The SQL people fixed this sort of issue years ago by introducing placeholders into their APIs. The result is that SQL insertion became a rarer vulnerability. Why not for web templating systems too?
That's pretty ironic given that ruby was developed by Japanese developers. I wonder what they did to deal with japanese characters.
There's a well-known dislike of Unicode in Japan. They mostly use other character encoding schemes, such as SJIS.
For more information on how to use UTF-8 in Rails so far, see HowToUseUnicodeStrings on the rails wiki.
Seriously, they provide source. It's a small program, you can browse it and get the gist of what it's doing in fairly short order. You can change it any way you want, and recompile. beautiful, isn't it?
The program doesn't have a particular license attached though, I would assume that the intention is that it be licensed under the MIT license. Mighht want to check that before packaging it for Debian.
National ID cards aren't the cause of totalitarian regimes, but if the United States were taken over by totalitarians,...
If ???
Re:Good Advice
on
Sudo vs. Root
·
· Score: 2, Insightful
One of the key benefits of using sudo, particularly in a single user situation is that it uses your regular password, not some "admin" password you typed in at the install 3 months ago and forgot to write down. This is one reason why both OSX and Ubuntu are using sudo.
Personally, I also like the ability to go back through the logs and see what I've done...
Slashdot Mirror
That's not true. The same byte sequence is either valid UTF-8 or it isn't. One of UTF-8's distinguishing features is that you can tell with fairly high probability whether a sequence of bytes is valid UTF-8 or not. Unlike (say) ISO-8859-1, which could be ISO-8859-2. You can't (easily) distinguish without human intervention.
The fact that the site declares itself to be both UTF-8 and iso-8859-1 is just ludicrous however.
Exactly the point of the article...
I actually did one of those comments a few days ago. There wasn't a better way to do a particular piece of code, so I put the comment in "// This is ugly, but there isn't a better way to do it.". It's a note to myself and future developers not to bother trying to fix an insignificant ugly piece.
Which is absolutely fine, just so long as you explained why in the next sentence. Or preferably three. As somebody above mentioned, comments should explain the why, not the how.
Much like commit messages, but that's a rant for another day
Don't you have some work to do, instead of wasting everybody else's time? Seriously, a meeting with 20 people, you might as well go to the pub, it'd be at least as productive.
How many conferences have you been to where the wi-fi worked great? Now multiply the effect.
This is really just good practise. If you have to move from your workstation to admin a machine, then it had better be on fire or something. It still surprises me to see quite how incapable most PC type servers are (in terms of remote management), after working for years on Sun equipment.
Even getting people to install a CD shouldn't be necessary. Get JumpStart set up, and boot from the network. This reduces your hosting support people to "reboot computer" tasks, which even they should be capable of.
-Dom
We name ourselves (as a country) "Nederland", which is inhabited by "nederlanders".
Listen, you can't expect us to pay attention to your nationalistic whimsies. It's been centuries since we've had a King from over there. These days, we purchase all our royalty from Germany. And we only have one name for them, even if it is wrong.
Don't look at me, I was just replying to the parent thread. :-)
But anyway, JavaScript 1.7 is in Firefox 2. It's starting to get out there.
-Dom
You mean like JavaScript 2?
-Dom
I hope that James Clark will be able to help correct the situation.
In case you haven't heard of James Clark, he wrote groff (for displaying man pages amongst other things), XSLT, the expat XML Parser and the Relax NG schema language. I'd be very surprised if anybody here hasn't used his stuff... Take a look at his bio.
-Dom
Yes, that's because a recruiter posted the same job hundreds of times.
Good for you! Now what about the 99% of developers who don't?
Looks lovely. Now how are you going to get that installed into the existing browser base?
I was under the impression that you could tackle CSRF on the server side by doing enough validation to ensure that what you're getting back is what you sent out in the first place. e.g. by specifying a token that you generated as part of the form.
-Dom
How many "web" templating systems do you know that automatically escape HTML unless told otherwise? I know of one that can be made to do so: Mason. Even then, you have to enable it, as it's not turned on by default.
What about PHP, ASP, JSP and so on? Will they ever grow up and automatically escape HTML by default? I doubt it very much.
In the meantime, there's always mod_security if you're willing to invest the time configuring it. But it's no guarantee...
-Dom
-Dom
If people used profilers a bit more, there'd be a lot fewer programmers wasting their time out there. You don't know where the problems are until you've profiled it!
-Dom
You are Zippy The Pinhead AICMFP.
In the context of computing, hacker came first though.
-Dom
As opposed to somebody wanting to debug Java, for which they merely need sectioning.
-Dom
-Dom
Seriously, they provide source. It's a small program, you can browse it and get the gist of what it's doing in fairly short order. You can change it any way you want, and recompile. beautiful, isn't it?
The program doesn't have a particular license attached though, I would assume that the intention is that it be licensed under the MIT license. Mighht want to check that before packaging it for Debian.
-Dom
If ???
Personally, I also like the ability to go back through the logs and see what I've done...
-Dom