beTech :: Evolve Already

Please join us for a presentation on XUL on Wednesday,October 15th from 10:00 - 11:30 am in Clemons Library, Room 407.
What: Introduction to XUL Development
When: Wed. 10/15, 10:00 - 11:30 am
Where: Clemons Library, Room 407 (to the left of the reference desk)
Who: RJ Bruneel
Introduction to XUL Development
An introduction to XUL development and discussion about what worked while RJ worked on a XUL project for Opensource Connections. XUL (XML User Interface Language) is Mozilla’s XML-based language that lets you build feature-rich cross platform applications that can run connected or disconnected from the Internet. These applications are easily customized with alternative text, graphics and layout so they can be readily branded or localized for various markets. Web developers already familiar with Dynamic HTML (DHTML) will learn XUL quickly and can start building applications right away.  

RJ Bruneel is a seasoned Software Developer since 1997 currently working for Opensource Connections. 

For more information about the location, check out http://www.lib.virginia.edu/map.html

Okay, so JavaScript has to be one of the most conflicted languages out there. It’s ubiquitous and easy to pick up yet mysterious and hard to master at the same time. Everything is an object, sorta? Lamda functions? Prototype? Closure? Object literal notation? Different browser implementations? Come on, puh-leaze!

Yet you’re compelled to master JavaScript since it’s now considered a real language with scores of libraries and even a CPAN/Pear-style repository. It powers awe-inspiring Web sites applications from Amazon to NetVibes to Zimbra. Why it even can be found lurking beneath the surface of various desktop widgets, iPhone apps, and even mainstream applications such as Adobe Illustrator and Photoshop. Great, we’ve made our case.

Super. You’re on board the JavaScript train, you’ve already picked up Javascript: The Definitive Guide (via Safari Books), read a chapter every day, and slept with it under your pillow for the past three weeks. But you’re still bewildered and, gee, you have a stiff neck. Brilliant!

Well today is your lucky day. Watch the following series of videos and your JavaScripting life will change. One of the masters of the language, Douglas Crockford (senior JavaScript Architect at Yahoo! and father of JSON), explains in ample detail the inner workings of this marvelous language and how it got to be so wacky in the first place (many thanks to Microsoft and Netscape). He gets into the nitty and the gritty of programming JavaScript and also presents many of the common, uniquely JS show-stoppers along with their effective work-arounds. I found the series enlightening and I think you will too. Enjoy:

• The JavaScript Programming Language Part 1/4 (see video on right)
• The JavaScript Programming Language Part 2/4
• The JavaScript Programming Language Part 3/4
• The JavaScript Programming Language Part 4/4
• Theory of the DOM Part 1/3
• Theory of the DOM Part 2/3
• Theory of the DOM Part 3/3
• Advanced JavaScript Part 1/3
• Advanced JavaScript Part 2/3
• Advanced JavaScript Part 3/3

By the way, Crockford’s accompanying slides are worth the download, especially in the Advance JavaScript series where the video munges up some of the text.

YSlow for Firebug is the latest must-have extension for Web developers working the bleeding edge. It’s primary purpose it to analyze your pages and tell you why they’re so slow (get it?: [Yahoo||whY]Slow), but it also has some other handy tricks up its sleeve. In one cool little tool, you get:

• a performance report card (based on the Yahoo! 13 Simple Rules for Speeding Up Your Web Site)
• an HTTP/HTML summary
• a list of components in the page
• other tools including JSLint

(Those with a keen eye may notice that YSlow is an extension for Firebug—which is itself a bad-ass Firefox extension.)

ITCWeb consists of thousands of pages that include common snippets of code for headers, footers and such via Apache’s Server Side Includes (SSI). It’s a fairly typical practice for creating templates since you just need to change a single file (the include) to immediately affect all the pages that include it. To maintain a consistent appearance across HTTP and HTTPS (SSL) protocols, our setup also connects the include files behind the scenes on the nonsecure and secure servers with symlinks. The practice worked flawlessly until we added the JavaScript for Google Analytics. The resolution required a little more SSI magic in the form of conditional expressions.

Read the rest of this entry »

The Firebug 1.0 (beta) Firefox extension transports an already awesome web development tool into the realm of the absolutely indispensable. Check out the mind-boggling added functionality:

• HTML Editing: Edit HTML on the fly, see the changes highlighted, search HTML, and much more.
• CSS Development: Wow! Chris Pederick’s Web Developer Extension was great at composing CSS on the fly, but Firebug kicks butt! Preview colors by mousing over the CSS color values, use the up and down keys to increment numeric values, do the same with attribute values and witness Firebug’s built in CSS dictionary run through the possible choices. There are several more features in the CSS tool that would have been enough to make Firebug a must-have tool for developers.
• CSS Layout Visualizing: The box model can be a dastardly concept to comprehend. The Firebug layout visualizer saves the day.
• Net Activity Monitoring: Want to see some neat bar charts? Take Firebug to a big Ajax site and check out the network requests. Heck! Take it to your own site and see what parts of your pages are taking the longest to load. It graphs every get request—including HTML, JavaScript, CSS, and images.
• JavaScript Debugging: Firebug was already good at this as well, now it’s great. Pause execution, step, and break your JavaScript to your heart’s content.

We could say more, but we’d be delaying you from getting on with the Firebug experience. Go get it and let us know what you think.

Oh, and one more thing, did we mention it’s now available for IE, Opera, and Safari? Consider it done.

Soon after posting an article about the rise of hacker Cross-site Scripting (XSS) attacks, online security magazine Dark Reading was alerted to XSS vulnerabilities on its own site. The holes were quickly plugged and a valuable lesson was learned: don’t assume you’re safe, trust no one, and validate everything.

What may be even spookier for much of the beTech audience is that .edu sites may be particularly juicy XSS targets for hackers (according to Jaimie Sirovich, search engine marketing guru). And with a recent Mitre report placing XSS at the top of the list of Common Vulnerabilities and Exposures (CVE) and plenty of additional resources for the mischevious popping up everyday, you can be sure your site security skills will be put to the test for some time to come.

So what the heck is this XSS stuff? SecurityDocs defines XSS thus:

…an XSS attack is when an attacker manages to inject Java script code or sometimes other code… into a website causing it to execute the code.

What harm could this cause? Well if an attacker made a specially crafted link and sent it to an unsuspecting victim and that victim clicked the link and a piece of Java Script code could be executed which would send the victims cookie away to a CGI Script, obviously the attack could do some serious damage. When an attacker creates a malicious link he/she will usually encode the Java Script code in HEX or some kind of encoding in order to try and hide the malicious code.

Websites that are vulnerable to XSS attacks are running some sort of Dynamic Content, Dynamic Content is anything that changes due to user interaction or information stored in a database about a user, things such as Forums, Web Based Email and places where information is submitted are vulnerable to XSS attacks.

As you can see, the user and the host are at risk. Aside from stealing client cookies and login information, XSS can be used to locate and potentially take advantage of vulnerabilities in unprotected web sites. As a web developer, you should be concerned with both scenarios. Your site and your data may be your primary concern, but securing your user’s login and other sensitive information is of paramount importance if you wish to maintain their trust.

What can you do? As a developer, you trust no one and validate all incoming data—especially HTML text coming in on links. As a user, you try to manage JavaScript’s XSS weaknesses with tools like the NoScript extension for Firefox or Stanford’s SafeCache (another Firefox extension). The bottom line for both sides of the server is that XSS is on the rise, so trust no one and keep an eye on those links.

Additional information:

• Wikipedia: Cross-site Scripting (XSS)
• CGI Security: XSS FAQ
• SecurityDocs: XSS FAQ
• Chris Shiflett: Foiling Cross-site Attacks
• Slashdot: Cross-Site Scripting Hits Major Sites
• XSS Cheat Sheet

When the Eclipse platform emerged a couple of years ago, it looked very promising–especially for Java developers. However, it had a strange interface, a project workflow mentality, and it didn’t seem to handle the typical web stuff very well. The Aptana integrated development environment (IDE) changes all that. It may even have the right stuff to knock Dreamweaver off its lofty perch.

J Wood tipped me off to its excellent JavaScript editing abilities and, indeed, this is where Aptana shines. This is easily the best JavaScript editor I have ever used. Thoughtful features such as Code Assist (pop-ups to help complete your code), built-in JavaScript and DOM documentation, real-time online help, outline views, macro scripting, and built-in support for the major JavaScript libraries (e.g., Dojo, Mochikit, Prototype) make JavaScript coding an absolute joy. This alone should earn Aptana a place in every developer’s toolset, but there’s more.

Aptana is a great all-around web editor that handles HTML and CSS with equal poise. There’s Code Assist for HTML and CSS–which proves particularly useful when coding CSS. Type a pound sign (to start an id selector) and all the relevant id selectors pop up. Ka-chow! Since Eclipse beats as its heart, Aptana can take advantage of the myriad plugins already out there such as the Subclipse plugin for tight Subversion version control integration (I can’t recall hearing that Dreamweaver handles version control as well–and certainly not without cost). This implementation of Eclipse also thoughtfully offers a file view of your local hard drive (obviously understanding that we all don’t necessarily want to start a project to edit code). Aptana runs on the Windows, Mac, and Linux platforms and is noticably faster than Dreamweaver on the Mac.

To be sure, there are some bugs and rough edges in this beta version application. But the pluses certainly outweigh the negatives. Future versions of Aptana are scheduled to receive FTP support, debugging capabilities, PHP and ASP.NET support, HTML validation, and refactoring tools. If you’re a web developer looking for a cross-platform editor to make JavaScript and Ajax sing, Aptana deserves a download and a look-see. Did we mention it’s free?