Friday 19 October 2007
Most of the fun development projects had to be put on hold over the last few months, due to good ole paying projects.
ExtJS security holes
The majority of my paid projects are now using ExtJS, (and one has now used ExtJS 2.0, which is a definite improvement in both features and design). But I did run into what I considered to be a rather serious problem. ExtJS by design is a XSS nightmare... so be careful.
Basically the grid component and a few of the other components are designed to use JSON data comming from the server and render the data it recieves onto a styled HTML table. The problem I discovered, was that rather than using DOM.createTextElement() or similar to render the data it recieves. It uses innerHTML. So data is not escaped in any way prior to rendering onto the page.
It was discovered while testing one of my first major products, A complete Spam/Mail control solution, I discovered that it was not rendering email addresses <someaddress@example.com> , due to the <> characters. I dug into the code and realized the XSS hole, and posted it as a bug on the extjs forum.
Unfortunately it appears that rather than regarding this as a huge hole, they would rather trust developers to read the fine print in the documentation about rendering data to the screen. Personally I would be embarrassed by this attitude on my project.. 'security is someone elses problem'.. but I guess that's their problem... - I have to keep security patches for extjs handy....
GtkDjs updates
I finally got a short time yesterday to update the code in Gtkjs to use the latest dmdscript source, overlayed with my JS2 stuff and language binding add-ons. It builds and runs all the test code in the test folder, and Walter fixed the closure issues alot cleaner than I had...
I've also updated the 'downloadFiles.sh' script so that It fetches the correct language HTML files for the generator. It appears that gnome has moved all the documentation around. (It also means the generated code is more in sync with newer releases of Gtk and the many extensions.)
Mailfort teaser..
As I mentioned above, I'm working heavily on a new product, Mailfort, anyone sending email to me, who I dont know, is likely to get a Identify confirmation email. We are currently testing with friends and family, along with a couple of companies, and hopefully more details will appear soon. But the teaser is that I've been working on Spam and mail control solutions for myself and a few clients, which has finally evolved in something generic enough that we can begin to sell. A number of my friends have been complaining about their Spam problems, so they are now slowly being introduced to the beta test product (with very positive feedback) so hopefully we will get the full website and product rolled out soon.
