The miscellaneous ramblings and thoughts of Dan G. Switzer, II

Protect yourself from XSS attacks using AntiSamy

An extremely common problem web developers face is protecting themselves from XSS exploits. Any webpage that takes input from a user and displays it is potentially at risk. The simplest way to protect yourself from this type of exploit is to remove anything that could interpreted as HTML by the browser—either by escaping the content or by using removing it altogether.

However, there are many use cases where you may want to allow a user to enter some HTML markup—to allow for basic formatting. Browser tools such as XStandard, FCKeditor and TinyMCE all provide developers with easy ways to provide users with rich text formatting capabilities, but allowing users to input HTML opens your site up to the possibility of XSS attacks.


The Dark Knight High Quality Trailer Online

Warner Brothers has finally released a high quality trailer of Christopher Nolan's The Dark Knight. I'm a big fan of Nolan's work and Batman Begins might be the best actual movie that was based on a comic book character. Batman Begins doesn't feel like a typical "superhero" movie, it's much more driven by story and character development than we've seen in the past.

While I was really impressed with the way Michael Keaton's ability transform himself into Batman (which I admit, I was very skeptical of the casting) Christian Bale I think captures Batman better. Keaton was certainly the best of the Batmans in the original series of movies, but Bale was perfect casting for Nolan's vision of the film.

Anyway, without further ado, here's the new trailer.


Grand Theft Auto 4 Box Art Revealed...

Rockstar came up with a cool way to unveil the new box art for GTA4. They used a bunch of mural artists to draw the box art on a wall and then published the time lapsed video. I like how this approached worked.

Using Eclipse to restart your Web Server

Scott Stroz (who's always up for a round of golf) today asked How Do You Set Up Your Development Environment? In his article, he has an excellent tip for restarting your local install of Apache using an Ant script. This is a great tip and something I quite frankly never thought to do.

But what if you're using Windows and want to stop a service on remote server?


Eclipse Navigator Toolbar - "Link With Editor" button...

I have to admit, I only use a small portion of the features that are in Eclipse. That's because there are so many features that I often miss things, even buttons that stare me in the face everyday. I love Eclipse, it's a really powerful IDE and one of the most impressive uses of client-side Java that I've ever seen.

Yesterday Michael Henke posted a nice entry (complete with screenshots) on some of the features of the Eclipse Navigation Toolbar. I've used the "Go Into" feature quite a bit. If you have a large project that you're going to be working in exclusively, it's a nice way to keep your navigation tree to just the relevant files and folders.

However, I must admit that I've never taken the time to figure out what the "Link With Editor" button does. I've clicked it once or twice, but never saw an immediate purpose for the button. Thanks to Michael's post, I know now that the clicking the "Link With Editor" toggle button will cause the Navigation pane to automatically jump to the active file open in the current editor tab.

Since I often have many tabs open at once (sometimes even dozens) I can see this feature being useful. Especially since often related files are grouped together in my project.

Update on my JVM Heap problems in CF8...

A couple of days ago, I posted on how I was monitoring memory usage on a recently upgraded CF8 server. I was seeing a quite a bit of memory being tied up in the tenured generation portion of the JVM Heap that would steadily rise all day.

Since there were so many dramatic changes between ColdFusion MX 7 and ColdFusion 8, I wasn't sure if this really indeed was a "problem" or simple a difference in behavior. Afterall once the load on the server would reduce in the evening I'd see the tenured generation usage drop back down to an acceptable and more expected value.

Because this did have me concerned, I kept digging around server logs to see if I could find any clues to why I was seeing the memory usage climb. I then noticed that the ColdFusion8/runtime/logs/coldfusion-out.log files were getting tons and tons of activities. After opening up the log files, I noticed I had tons of errors like the following:


Adobe Labs releases Flex Builder 3 (Public Beta 3)

Adobe always seems to like releasing things to Adobe Labs in mass. They've also just released Flex Builder 3 (Public Beta 3). I actually found beta 2 to be pretty stable and have even rolled out a project into production based on beta 2. I plan on upgrading as soon as I have some time.

Abobe Labs releases BlazeDS - Remoting and Messaging technology

Adobe Labs just released BlazeDS as a new Open Source project (released under the LGPL v3 license.) Essentially BlazeDS is the remoting and messaging technology behind LiveCycle Data Services. For people familiar with Adobe Flex, they know that this is the "push" technology that allows you to build interfaces that are updated automatically when the data on the server changes. This means you can make data on the screen change in realtime as changes on the server occur.

I spent a few minutes looking through the BlazeDS documentation, but didn't see any real good information related specifically to ColdFusion. However, according to the Release Notes it looks like you can integrate BlazeDS directly with ColdFusion 8.


Quick & Dirty ColdFusion JVM Memory Monitor

Yesterday, I posted on how to use JConsole to monitor ColdFusion's JVM. Today I wanted to give you a quirk and dirty script you can run on ColdFusion 8 which will give you a lot of the same memory information—but wrapped up into a CF script. The script is based on some code from Steve Brownlee's useful post on accessing ColdFusion internals using Java.

The key benefit to this method is there's nothing to install—just copy the code on a server and run it. Obviously, this only works if the server is responding and is not going to be as thorough as using JConsole. I have found this script handy to just give you a quick overview of the system state.

I've only tested the code in CF8, but it doesn't utilize any special ColdFusion classes—it utilizes the core Java classes. This code should work on any ColdFusion installation using Java 5 (v1.5) or higher.


Using JConsole to monitor ColdFusion's JVM

If you're experiencing problems with your server or just want a better idea of how your server's using memory, the Java JDK provides an excellent monitoring tool called JConsole.

JConsole comes included in the latest Java JDK and can be found in the JDK_HOME/bin folder (where JDK_HOME is the installation folder for your JDK). ColdFusion does not come with the JConsole application, so you'll need to download and install the JDK on a machine that has access to your server (if you do not already have a JDK installed.) JConsole does not need to run on the ColdFusion server, you can connect to a remote server so you can run the application right from your Workstation.


Troubleshooting Memory Leaks in Java

I've been monitoring a server that was recently upgraded to ColdFusion 8. The application was previously running on ColdFusion MX 7—which used Java SDK v1.4. As many of you know, CF8 now runs on Java SDK v1.6.

I've noticed a significant difference in memory management between the two versions of ColdFusion. I've been closely monitoring the server because of the jump in Heap usage I've seen after upgrading.

In my process of researching Memory Management in Java, I came across this an excellent article title Brain Drain In Your Java Apps?* that appears Software Test & Performance magazine. This article appears in the April 2007 Volume 4, Number 4 issue.

There is also a follow article that appears in the May 2007 issue titled It's Not Just The Younger Generations*.

This article is a good resource for anyone trying to figure out how to debug those "Out of Memory" errors. Fortunately, I think my issue is only related to Garbage Collection in the Tenured Generation.

The link to the articles points to PDFs containing the entire magazines. I could not find an HTML versions of them. The article Brain Drain In Your Java Apps? is on page 22 of the April 2007 issue and the article It's Not Just The Younger Generations is on page 26 of the May 2007 issue.

ESET/NOD32 causing "Save Problems" in Eclipse

All the sudden today I started getting a weird problem when trying to edit files in Eclipse. I could save the file once, but on a subsequent save I was getting the following error:

Save Problems - Save could not be completed. Reason: Has been changed on the files system. 

If I closed the file and re-opened the file, I could save it again but only once.

This had me really scratching my head. My projects actually exist on my LAN as I save the files directly to my personal Dev Server. I thought the problem might have related to some kind of network problem, so I went through a bunch of steps—including rebooting both my Dev Server and my Workstation—but nothing was working.

Finally I got the bright idea to disable ESET Smart Security (which is the new version of the NOD32 scanner.) What do you know, things started working again. I had to play around with things for a while before I was able to figure out what exactly was causing the problem.

It turns out the "Real-time file system protection" was causing the problem. I'm not sure why it's causing the problem, but the fix is easy enough.

  1. Open up ESET Smart Security
  2. Make sure you're in the Advanced mode layout
  3. Go to Setup > Antivirus and antispyware
  4. Click the "Configure..." option
  5. Click the "Setup..." button
  6. Un-check the "Scan all files" option
  7. Keep clicking the "OK" button until you're back to the ESET Smart Security window
If you prefer, you could just add the specific extensions you're having problems with to the "Exclude" filter list, the option is up to you.

I'm going to open up a ticket with ESET's support and see what they have to say about this.

Problems with CF8 Debug - Source not found

I'm having a weird problem with Desktop Development PC. When using the CF8 Debugger to debug a template, I continually get a window that opens up with the message "Source not found." Here's what the content of the window is:


I've updated to the latest version of the ColdFusion 8 Extension for Eclipse from Adobe's site and that hasn't changed anything. I found one message from Michael Dawson on the CFEclipse Users mailing list where he was having the same issue. Michael said that updating to the latest extensions fixed his problem, but that has not worked for me.

I think this problem may have to do with the fact that my projects are stored on my Development Server which I access over Windows mappings. Things work fine on my laptop, but I use FileSync to synchronize files from my local drive to the Development server.

Setting breakpoints does work, but it doesn't drill down to the correct ticket view. I have a feeling this is a configuration issue, but it could be a bug.

Does anyone have any ideas?

Adobe Acrobat Connect ("Brio") now free for 3 participants...

Adobe has just posted Brio—the next generation of Adobe Acrobat Connect—to Adobe Labs for downloading. The new beta version allows you to:

  • Host unlimited online meetings with up to 3 meeting participants.
  • Interact with easy-to-use screen sharing, chat and whiteboards.
  • Access your meeting instantly with a personalized, easy-to-remember URL.
  • Distribute documents and files to meeting participants.
  • Use integrated VoIP, teleconferencing and multi-point video.

I've had interest in Adobe Acrobat Connect (which is a horrible name,) but it was way out of my price range. Now that they've opened it up for free for up to 3 participants, it looks like it's time to check it out!

Using RegEx in your IDE to speed up coding...

Nathan Strutz posted a cool tip using regular expressions to speed up coding which uses a regular expression to convert a single line list of variables into something actually useful.

You have a list of values on lines and you want to want to apply some code to each:


Select the lines, and use your IDE's find/replace tool with the regex option. In Eclipse, this is just CTRL+F and check the checkbox. Use this as the search pattern:


This regex says to select any line with at least one character in it and store it in a character group.

Some code like this would be the replace pattern:
querySetCell(myQuery, "$1", "");

Replace them all and your code will be generated in an instant. The regex will drop each line's content into the $1 backreference.

That's a tip I'll have to remember.