/usr/portage

XHR request signatures and Dojo 1

Recently I discussed Zend Framework’s XHR integration. As a result of my research I’ve filed a bug to let Dojo send the X-Requested-With-header per default. A patch has landed in Dojo and will be part of the 1.1 release.

Filed on 25-03-2008, 00:12 under , , , , & one comment & no trackbacks

A naive approach to mixins in PHP 3

Mixins is a known multiple inheritance concept from languages like Python or Ruby or (but in a different way in JavaScript). In Ruby you can include another class definition, in Python you extend from multiple classes and in JavaScript you use prototype to copy methods from one class to another. In PHP there is no default strategy how to reach that, but nevertheless multiple inheritance leads often to the advanced usage of the mudclump pattern, sometimes it is practically. Think on PHPUnit and its assert*()-methods. They are defined in PHPUnit_Framework_Assert. PHPUnit_Framework_TestCase is derived from the last but it would be much nicer to have the possibility here to mixin my custom assertions. For example I have a custom assertion to ensure a certain object implements a valid singleton. Currently I need to patch PHPUnit, but why should I need to?
I am currently working on a half-automized storage component, which provides helper functions for database queries (auto-generate a WHERE-clause from a filter object, create a field list out of a dependency list and stuff like that). I do not want to pollute my class hierarchy but I want to have them pluggable and I want my collegues to add their own. So here is my naive approach (only works for methods).


Continue reading "A naive approach to mixins in PHP"

Filed on 14-09-2007, 11:11 under , , , , & three comments & no trackbacks

XMPP/JavaScript developer 0

We are hiring a JavaScript developer to work on our famous chat component. Location is Berlin.

Filed on 24-07-2007, 15:03 under , , & no comments & no trackbacks

Jetzt bewerben! 0

Wir suchen bei Neu.de einen Senior Software Developer (also einen, von dem ich noch was lernen kann) und einige PHP-Entwickler, die ruhig neu im Geschäft sein dürfen, aber wenigstens programmieren können sollten (das mit OOP und sinnvollem Software-Design bringen wir schon bei). Beide Stellen sind auf unserer Job-Seite genauer beschrieben. Ein paar Keywords, die einem Bewerber wenigstens gefallen sollten: Test driven development (PHPUnit), Acceptance tests mit Selenium, objektorientierte Entwicklung in PHP5, Einsatz von Jabber-Technologien, Dojo JavaScript Toolkit, AJAX, Design patterns, UML, APIs (Rest, XMLRPC), JSON. Achso: wir stehen ganz massiv auf Bewerbungen mit aussagekräftigen Referenzen, die dürfen auch ruhig so aussehen, als wollte ein Bewerber ernsthaft bei uns arbeiten.
Benefits sind Kaffee und Vittel for free, beste Musikerziehung im Bereich independent Pop/Rock/Elektro, gut gefülltes Mate-Reservoir, die Abwesenheit einer Kleiderordnung und eine Dart-Scheibe, die bespielt werden will.
Wer noch weitere Fragen hat, darf sich gerne bei mir melden (per Mail oder per Jabber)

Filed on 29-06-2007, 00:12 under , , , , , & no comments & no trackbacks

XSS holes on dapper.net 0

Dapper is a web service which provides webservice creation on the fly. You can create your own APIs, feed etc. by just meshing selected areas from different websites. It is pretty similiar to Yahoo Pipes. Switch/Twitch already pointed out, that dapper completely breaks the same origin policy, which is the basic security concept for rich web applications (it is partly broken by Flash anyway, but this is written on another sheet of paper). But even worse, dapper itself was vulnarable against XSS injections which I found out two weeks ago. The vendor replied quickly and fixed the issues I had demonstrated. The combination of breaking the same origin policy and vulnarabilities on dapper is pretty dangerous. Hopefully the developers really know that they are playing with fire.

Filed on 20-06-2007, 20:08 under , , , , & no comments & no trackbacks

Live vom Webmontag 0

So, gerade nen Vortrag über webnews.de gehört. Ich habe nicht so genau verstanden, was die machen, aber ich habe das da gefunden:

http://www.webnews.de/suche/""<script>alert('XSS')</script>

Update:
Es scheint so, als hätten sie das Problem behoben. Jetzt warte ich nur noch auf meinen Milchschäumer. Aber ich finde das cool, dass das so schnell ging!

Filed on 22-01-2007, 21:09 under , , , , , , , , & no comments & no trackbacks

Lazy, object-oriented URL parsing in JavaScript 2

Use this (no, the regexp does not check for RFC-compatibility):

My_Url = function()
{}

My_Url.parse = function(url)
{ this.url = url result = this.url.match(this.regexp) this.scheme = result1 this.host = result2 this.port = result3 this.path = result4 return this
}

My_Url.prototype.parse = My_Url.parse
My_Url.prototype.regexp = /(https?:\/\/)([a-zA-Z0-9_\-\.]+)(:[0-9]+)?\/?(.*)?/

url = new My_Url()
url.parse(‘http://foobar.com/foo’)
alert(url.host)

This will open an alert window with the content »foobar.com«.

Filed on 03-12-2006, 02:02 under , & two comments & no trackbacks

The other side: Security 2.0 alpha 2

Talk on Webmontag is over. Now it’s time to publish some security related issues I found out over the last weeks.


Continue reading "The other side: Security 2.0 alpha"

Filed on 07-02-2006, 00:12 under , , , , , , , , , , & two comments & two trackbacks