Brace for impact!

Tomorrow might prove to be interesting! So fasten your seatbelts…

Paul Hirsch, a moderator on WebHostingTalk.com got wind that hacker Billy Hoffman with SPI Dynamics is going to do a talk tomorrow at Schmoo titled: “Javascript Malware for a Gray Goo Tomorrow”.

He created Jikto, a web scanner written in javaScript:

This homogenous platform, coupled with JavaScript’s new features has enabled attackers to perform advanced attacks using XSS that were thought to be impossible even 2 years ago. Self-propagating XSS+Ajax worms, advanced keystroke and mouse loggers, port scanning, fingerprinting, and assaulting intranet applications, as well as stealing search engine queries or browser histories are now all components in an attackers toolbox.

If this does not concern you just a bit, I’m not sure what could…

The good news? Well, he’s not going to release Jikto, at least not yet…

But this will definitely bring XSS in the forefront.

in News | 152 Words

Adding CodeHighlighter to Typo

Recently, I ran across CodeHighlighter by Dan Webb. This looked like a pretty cool javascript, and I thought a better way than to do it on the server side.

Adding it to typo is fairly straightforward, baring a small patch.

Get the code

Get it from Dan’s site via subversion: http://svn.danwebb.net/external/CodeHighlighter/trunk

svn co http://svn.danwebb.net/external/CodeHighlighter/trunk

Adding CodeHightlighter to your template

Add to your template (themes/[YOUR THEME]/layouts/default.rhtml)

<%= javascript_include_tag "code_highlighter" %>
<%= javascript_include_tag "javascript" %>
<%= javascript_include_tag "css" %>
<%= javascript_include_tag "html" %>
<%= javascript_include_tag "ruby" %>

The code as provided by Dan has a small incompatibility with prototype used by Ruby on Rails. The following line

for (var i in this.styleSets) highlightCode(this.styleSets[i]);

behaves quite strangely and will pretty much kill your browser (Firefox runs out of memory and displays a bunch of “undefined” after several minutes) because it ends up calling hightlightCode way too many time because of all the methods added to all objects.

To make codehighlighter.js play nicely with prototype.js, replace that last line with:

if (this.styleSets.each) {
  this.styleSets.each(highlightCode)
} else {
    for (var i in this.styleSets) {
      highlightCode(this.styleSets[i]);
    }
}

Essentially, if prototype is present, we can use each to iterate on the styles, otherwise it is safe to used the old code.

Using Codehightlighter

Now, addng styling is easy. Using Textile, you can just put your code around a <pre> and a <code> block. If you have a javascript snippet, use a class of “javascript”.

For example:


<pre><code class="javascript">
if (this.styleSets.each) {
  this.styleSets.each(highlightCode)
} else {
    for (var i in this.styleSets) {
      highlightCode(this.styleSets[i]);
    }
</code></pre>

The other available styles are “html”, “css” and “ruby”.

For example, here’s how ruby would look like:

  def display_article(article = nil)
    begin
      @article      = block_given? ? yield : article
      @comment      = Comment.new
      @page_title   = @article.title
      auto_discovery_feed :type => 'article', :id => @article.id
      render :action => 'read'
    rescue ActiveRecord::RecordNotFound, NoMethodError => e
      error("Post not found...")
    end
  end

And it looks easy to create other styles. See the stylesetguide.html file for details.

Update: Turns out Dan already had a fix, so if you grab the trunk, you will be fine.

Here’s his version of the patch:

    for (var i=0; i < this.styleSets.length; i++) {
        highlightCode(this.styleSets[i]);
    }

Javascript console

Javascript is great when it works. When it doesn’t work, it can get you from happy to miserable in less time than it takes you to say XmlHttpRequest.

Today I just found (via Ajaxian) an interesting tool that I’m adding to my arsenal when it comes to figuring out what’s happening in javascript. Definitely an invaluable debugging tool. It is called JavaScript Shell. When you embed the script, you get a command line window where you can make javascript calls directly from inside your web page.

You can call any method, inspect objects (using props), see where DOM objects are (using blink), and the killer feature, in my view, is the autocompletion using the tab key! It also features a command history, which is very convenient to try variations of the same call.

And if that wasn’t enough, you can also use the script as a bookmarklet. There is a Firefox version, and an Internet Explorer version available from Curiosity is bliss (ported to IE by Julien Couvreur).

You should try the script for yourself.

This is a great tool to debug, or even try a few things quickly and this will be a good complement to the rails console. It sure beats having to reload the page!