dans.blog

I recently posted about a new open source Java project called AntiSamy—which allows you to protect your websites from XSS hacks. I also promised that I'd soon show you some code examples that show you how you can use AntiSamy within ColdFusion.

I've only tested this code under ColdFusion 8. It should theoretically work on any ColdFusion installation, provided you're using a JDK version that supports the compiled version of the AntiSamy code (which is compiled to Java v1.5.)

Before you can actually use AntiSamy, there are a few quick steps you need to make.

more…

Posted by Dan on Jan 3, 2008 @ 4:05 PM

An extremely common problem web developers face is protecting themselves from XSS exploits. Any webpage that takes input from a user and displays it is potentially at risk. The simplest way to protect yourself from this type of exploit is to remove anything that could interpreted as HTML by the browser—either by escaping the content or by using removing it altogether.

However, there are many use cases where you may want to allow a user to enter some HTML markup—to allow for basic formatting. Browser tools such as XStandard, FCKeditor and TinyMCE all provide developers with easy ways to provide users with rich text formatting capabilities, but allowing users to input HTML opens your site up to the possibility of XSS attacks.

more…

Posted by Dan on Dec 24, 2007 @ 1:02 PM

Scott Stroz (who's always up for a round of golf) today asked How Do You Set Up Your Development Environment? In his article, he has an excellent tip for restarting your local install of Apache using an Ant script. This is a great tip and something I quite frankly never thought to do.

But what if you're using Windows and want to stop a service on remote server?

more…

Posted by Dan on Dec 14, 2007 @ 3:55 PM

I have to admit, I only use a small portion of the features that are in Eclipse. That's because there are so many features that I often miss things, even buttons that stare me in the face everyday. I love Eclipse, it's a really powerful IDE and one of the most impressive uses of client-side Java that I've ever seen.

Yesterday Michael Henke posted a nice entry (complete with screenshots) on some of the features of the Eclipse Navigation Toolbar. I've used the "Go Into" feature quite a bit. If you have a large project that you're going to be working in exclusively, it's a nice way to keep your navigation tree to just the relevant files and folders.

However, I must admit that I've never taken the time to figure out what the "Link With Editor" button does. I've clicked it once or twice, but never saw an immediate purpose for the button. Thanks to Michael's post, I know now that the clicking the "Link With Editor" toggle button will cause the Navigation pane to automatically jump to the active file open in the current editor tab.

Since I often have many tabs open at once (sometimes even dozens) I can see this feature being useful. Especially since often related files are grouped together in my project.

Posted by Dan on Dec 14, 2007 @ 10:40 AM

A couple of days ago, I posted on how I was monitoring memory usage on a recently upgraded CF8 server. I was seeing a quite a bit of memory being tied up in the tenured generation portion of the JVM Heap that would steadily rise all day.

Since there were so many dramatic changes between ColdFusion MX 7 and ColdFusion 8, I wasn't sure if this really indeed was a "problem" or simple a difference in behavior. Afterall once the load on the server would reduce in the evening I'd see the tenured generation usage drop back down to an acceptable and more expected value.

Because this did have me concerned, I kept digging around server logs to see if I could find any clues to why I was seeing the memory usage climb. I then noticed that the ColdFusion8/runtime/logs/coldfusion-out.log files were getting tons and tons of activities. After opening up the log files, I noticed I had tons of errors like the following:

more…

Posted by Dan on Dec 13, 2007 @ 12:11 PM

Adobe Labs just released BlazeDS as a new Open Source project (released under the LGPL v3 license.) Essentially BlazeDS is the remoting and messaging technology behind LiveCycle Data Services. For people familiar with Adobe Flex, they know that this is the "push" technology that allows you to build interfaces that are updated automatically when the data on the server changes. This means you can make data on the screen change in realtime as changes on the server occur.

I spent a few minutes looking through the BlazeDS documentation, but didn't see any real good information related specifically to ColdFusion. However, according to the Release Notes it looks like you can integrate BlazeDS directly with ColdFusion 8.

more…

Posted by Dan on Dec 13, 2007 @ 10:34 AM

Yesterday, I posted on how to use JConsole to monitor ColdFusion's JVM. Today I wanted to give you a quirk and dirty script you can run on ColdFusion 8 which will give you a lot of the same memory information—but wrapped up into a CF script. The script is based on some code from Steve Brownlee's useful post on accessing ColdFusion internals using Java.

The key benefit to this method is there's nothing to install—just copy the code on a server and run it. Obviously, this only works if the server is responding and is not going to be as thorough as using JConsole. I have found this script handy to just give you a quick overview of the system state.

I've only tested the code in CF8, but it doesn't utilize any special ColdFusion classes—it utilizes the core Java classes. This code should work on any ColdFusion installation using Java 5 (v1.5) or higher.

more…

Posted by Dan on Dec 13, 2007 @ 9:27 AM

If you're experiencing problems with your server or just want a better idea of how your server's using memory, the Java JDK provides an excellent monitoring tool called JConsole.

JConsole comes included in the latest Java JDK and can be found in the JDK_HOME/bin folder (where JDK_HOME is the installation folder for your JDK). ColdFusion does not come with the JConsole application, so you'll need to download and install the JDK on a machine that has access to your server (if you do not already have a JDK installed.) JConsole does not need to run on the ColdFusion server, you can connect to a remote server so you can run the application right from your Workstation.

more…

Posted by Dan on Dec 12, 2007 @ 5:16 PM

I've been monitoring a server that was recently upgraded to ColdFusion 8. The application was previously running on ColdFusion MX 7—which used Java SDK v1.4. As many of you know, CF8 now runs on Java SDK v1.6.

I've noticed a significant difference in memory management between the two versions of ColdFusion. I've been closely monitoring the server because of the jump in Heap usage I've seen after upgrading.

In my process of researching Memory Management in Java, I came across this an excellent article title Brain Drain In Your Java Apps?* that appears Software Test & Performance magazine. This article appears in the April 2007 Volume 4, Number 4 issue.

There is also a follow article that appears in the May 2007 issue titled It's Not Just The Younger Generations*.

This article is a good resource for anyone trying to figure out how to debug those "Out of Memory" errors. Fortunately, I think my issue is only related to Garbage Collection in the Tenured Generation.

NOTE:

The link to the articles points to PDFs containing the entire magazines. I could not find an HTML versions of them. The article Brain Drain In Your Java Apps? is on page 22 of the April 2007 issue and the article It's Not Just The Younger Generations is on page 26 of the May 2007 issue.

Posted by Dan on Dec 12, 2007 @ 8:49 AM

All the sudden today I started getting a weird problem when trying to edit files in Eclipse. I could save the file once, but on a subsequent save I was getting the following error:

If I closed the file and re-opened the file, I could save it again but only once.

This had me really scratching my head. My projects actually exist on my LAN as I save the files directly to my personal Dev Server. I thought the problem might have related to some kind of network problem, so I went through a bunch of steps—including rebooting both my Dev Server and my Workstation—but nothing was working.

Finally I got the bright idea to disable ESET Smart Security (which is the new version of the NOD32 scanner.) What do you know, things started working again. I had to play around with things for a while before I was able to figure out what exactly was causing the problem.

It turns out the "Real-time file system protection" was causing the problem. I'm not sure why it's causing the problem, but the fix is easy enough.

1. Open up ESET Smart Security
2. Make sure you're in the Advanced mode layout
3. Go to Setup > Antivirus and antispyware
4. Click the "Configure..." option
5. Click the "Setup..." button
6. Un-check the "Scan all files" option
7. Keep clicking the "OK" button until you're back to the ESET Smart Security window

NOTE:

If you prefer, you could just add the specific extensions you're having problems with to the "Exclude" filter list, the option is up to you.

I'm going to open up a ticket with ESET's support and see what they have to say about this.

Posted by Dan on Dec 10, 2007 @ 4:50 PM

I'm having a weird problem with Desktop Development PC. When using the CF8 Debugger to debug a template, I continually get a window that opens up with the message "Source not found." Here's what the content of the window is:

I've updated to the latest version of the ColdFusion 8 Extension for Eclipse from Adobe's site and that hasn't changed anything. I found one message from Michael Dawson on the CFEclipse Users mailing list where he was having the same issue. Michael said that updating to the latest extensions fixed his problem, but that has not worked for me.

I think this problem may have to do with the fact that my projects are stored on my Development Server which I access over Windows mappings. Things work fine on my laptop, but I use FileSync to synchronize files from my local drive to the Development server.

Setting breakpoints does work, but it doesn't drill down to the correct ticket view. I have a feeling this is a configuration issue, but it could be a bug.

Does anyone have any ideas?

Posted by Dan on Dec 10, 2007 @ 2:23 PM

Adobe has just posted Brio—the next generation of Adobe Acrobat Connect—to Adobe Labs for downloading. The new beta version allows you to:

• Host unlimited online meetings with up to 3 meeting participants.
• Interact with easy-to-use screen sharing, chat and whiteboards.
• Access your meeting instantly with a personalized, easy-to-remember URL.
• Distribute documents and files to meeting participants.
• Use integrated VoIP, teleconferencing and multi-point video.

I've had interest in Adobe Acrobat Connect (which is a horrible name,) but it was way out of my price range. Now that they've opened it up for free for up to 3 participants, it looks like it's time to check it out!

Posted by Dan on Dec 7, 2007 @ 6:13 PM

Nathan Strutz posted a cool tip using regular expressions to speed up coding which uses a regular expression to convert a single line list of variables into something actually useful.

You have a list of values on lines and you want to want to apply some code to each:

first_name
middle_initial
last_name
phone
country
state_province
city

Select the lines, and use your IDE's find/replace tool with the regex option. In Eclipse, this is just CTRL+F and check the checkbox. Use this as the search pattern:

^(.+)$

This regex says to select any line with at least one character in it and store it in a character group.

Some code like this would be the replace pattern:
querySetCell(myQuery, "$1", "");

Replace them all and your code will be generated in an instant. The regex will drop each line's content into the $1 backreference.

That's a tip I'll have to remember.

Posted by Dan on Dec 7, 2007 @ 12:25 PM

DryIcons.com has released 5 free icon sets. I'm a terrible artist, so the more free icon sets I can find, the better off I am when I'm designing an interface. Here's what DryIcons is offering:

Ruby Multimedia Icon Set - 13 High Quality Web Icons
WYSIWYG Sapphire Icon Set - 47 High Quality Web Icons
WYSIWYG Classic Icon Set - 47 High Quality Web Icons
Blue Velvet Icon Set - 86 High Quality Web Icons
Aesthetica Icon Set - 160 High Quality Web Icons

Posted by Dan on Dec 7, 2007 @ 11:53 AM

I'm working on an table that uses the adjacency list model to store its hierarchical relationship. In a nutshell, it means my table has a parent-to-child relationship using the a foreign key to point to the parent primary key. While this is efficient for storage (and easy to understand,) this model was always extremely inefficient for retrieving the tree structure in MSSQL—that is until SQL Server 2005.

In SQL Server 2005, Microsoft implemented a new featured called Common Table Expressions (CTE,) which among other things allow you to transverse an adjacency list model table by using recursion.

A simple example looks like this:

Today I was trying to figure out a good way to determine the path through the tree. I started thinking that the MSSQL 2005's ROW_NUMBER() function would be a good way to do that. A quick Google search brought up an excellent article by Adam Machanic titled Swinging From Tree to Tree Using CTEs, Part 2: Adjacency to Nested Intervals.

It gives pretty thorough examples and even shows how using a CTE you can convert an adjacency list model table into a nested set model table.

Posted by Dan on Nov 30, 2007 @ 12:39 PM