The miscellaneous ramblings and thoughts of Dan G. Switzer, II

Protect yourself from XSS attacks using AntiSamy

An extremely common problem web developers face is protecting themselves from XSS exploits. Any webpage that takes input from a user and displays it is potentially at risk. The simplest way to protect yourself from this type of exploit is to remove anything that could interpreted as HTML by the browser—either by escaping the content or by using removing it altogether.

However, there are many use cases where you may want to allow a user to enter some HTML markup—to allow for basic formatting. Browser tools such as XStandard, FCKeditor and TinyMCE all provide developers with easy ways to provide users with rich text formatting capabilities, but allowing users to input HTML opens your site up to the possibility of XSS attacks.


Eclipse Navigator Toolbar - "Link With Editor" button...

I have to admit, I only use a small portion of the features that are in Eclipse. That's because there are so many features that I often miss things, even buttons that stare me in the face everyday. I love Eclipse, it's a really powerful IDE and one of the most impressive uses of client-side Java that I've ever seen.

Yesterday Michael Henke posted a nice entry (complete with screenshots) on some of the features of the Eclipse Navigation Toolbar. I've used the "Go Into" feature quite a bit. If you have a large project that you're going to be working in exclusively, it's a nice way to keep your navigation tree to just the relevant files and folders.

However, I must admit that I've never taken the time to figure out what the "Link With Editor" button does. I've clicked it once or twice, but never saw an immediate purpose for the button. Thanks to Michael's post, I know now that the clicking the "Link With Editor" toggle button will cause the Navigation pane to automatically jump to the active file open in the current editor tab.

Since I often have many tabs open at once (sometimes even dozens) I can see this feature being useful. Especially since often related files are grouped together in my project.

Abobe Labs releases BlazeDS - Remoting and Messaging technology

Adobe Labs just released BlazeDS as a new Open Source project (released under the LGPL v3 license.) Essentially BlazeDS is the remoting and messaging technology behind LiveCycle Data Services. For people familiar with Adobe Flex, they know that this is the "push" technology that allows you to build interfaces that are updated automatically when the data on the server changes. This means you can make data on the screen change in realtime as changes on the server occur.

I spent a few minutes looking through the BlazeDS documentation, but didn't see any real good information related specifically to ColdFusion. However, according to the Release Notes it looks like you can integrate BlazeDS directly with ColdFusion 8.


Quick & Dirty ColdFusion JVM Memory Monitor

Yesterday, I posted on how to use JConsole to monitor ColdFusion's JVM. Today I wanted to give you a quirk and dirty script you can run on ColdFusion 8 which will give you a lot of the same memory information—but wrapped up into a CF script. The script is based on some code from Steve Brownlee's useful post on accessing ColdFusion internals using Java.

The key benefit to this method is there's nothing to install—just copy the code on a server and run it. Obviously, this only works if the server is responding and is not going to be as thorough as using JConsole. I have found this script handy to just give you a quick overview of the system state.

I've only tested the code in CF8, but it doesn't utilize any special ColdFusion classes—it utilizes the core Java classes. This code should work on any ColdFusion installation using Java 5 (v1.5) or higher.


Using JConsole to monitor ColdFusion's JVM

If you're experiencing problems with your server or just want a better idea of how your server's using memory, the Java JDK provides an excellent monitoring tool called JConsole.

JConsole comes included in the latest Java JDK and can be found in the JDK_HOME/bin folder (where JDK_HOME is the installation folder for your JDK). ColdFusion does not come with the JConsole application, so you'll need to download and install the JDK on a machine that has access to your server (if you do not already have a JDK installed.) JConsole does not need to run on the ColdFusion server, you can connect to a remote server so you can run the application right from your Workstation.


Troubleshooting Memory Leaks in Java

I've been monitoring a server that was recently upgraded to ColdFusion 8. The application was previously running on ColdFusion MX 7—which used Java SDK v1.4. As many of you know, CF8 now runs on Java SDK v1.6.

I've noticed a significant difference in memory management between the two versions of ColdFusion. I've been closely monitoring the server because of the jump in Heap usage I've seen after upgrading.

In my process of researching Memory Management in Java, I came across this an excellent article title Brain Drain In Your Java Apps?* that appears Software Test & Performance magazine. This article appears in the April 2007 Volume 4, Number 4 issue.

There is also a follow article that appears in the May 2007 issue titled It's Not Just The Younger Generations*.

This article is a good resource for anyone trying to figure out how to debug those "Out of Memory" errors. Fortunately, I think my issue is only related to Garbage Collection in the Tenured Generation.

The link to the articles points to PDFs containing the entire magazines. I could not find an HTML versions of them. The article Brain Drain In Your Java Apps? is on page 22 of the April 2007 issue and the article It's Not Just The Younger Generations is on page 26 of the May 2007 issue.

ESET/NOD32 causing "Save Problems" in Eclipse

All the sudden today I started getting a weird problem when trying to edit files in Eclipse. I could save the file once, but on a subsequent save I was getting the following error:

Save Problems - Save could not be completed. Reason: Has been changed on the files system. 

If I closed the file and re-opened the file, I could save it again but only once.

This had me really scratching my head. My projects actually exist on my LAN as I save the files directly to my personal Dev Server. I thought the problem might have related to some kind of network problem, so I went through a bunch of steps—including rebooting both my Dev Server and my Workstation—but nothing was working.

Finally I got the bright idea to disable ESET Smart Security (which is the new version of the NOD32 scanner.) What do you know, things started working again. I had to play around with things for a while before I was able to figure out what exactly was causing the problem.

It turns out the "Real-time file system protection" was causing the problem. I'm not sure why it's causing the problem, but the fix is easy enough.

  1. Open up ESET Smart Security
  2. Make sure you're in the Advanced mode layout
  3. Go to Setup > Antivirus and antispyware
  4. Click the "Configure..." option
  5. Click the "Setup..." button
  6. Un-check the "Scan all files" option
  7. Keep clicking the "OK" button until you're back to the ESET Smart Security window
If you prefer, you could just add the specific extensions you're having problems with to the "Exclude" filter list, the option is up to you.

I'm going to open up a ticket with ESET's support and see what they have to say about this.

Using RegEx in your IDE to speed up coding...

Nathan Strutz posted a cool tip using regular expressions to speed up coding which uses a regular expression to convert a single line list of variables into something actually useful.

You have a list of values on lines and you want to want to apply some code to each:


Select the lines, and use your IDE's find/replace tool with the regex option. In Eclipse, this is just CTRL+F and check the checkbox. Use this as the search pattern:


This regex says to select any line with at least one character in it and store it in a character group.

Some code like this would be the replace pattern:
querySetCell(myQuery, "$1", "");

Replace them all and your code will be generated in an instant. The regex will drop each line's content into the $1 backreference.

That's a tip I'll have to remember.

WinMerge is a great Open Source Diff tool

In the past I've blogged about some free Windows-based Diff tools—like ExamDiff. However I recently came across WinMerge—an "Open Source visual text file differencing and merging tool for Win32 platforms."

I've only been playing around with it for a couple of days, but I'm very impressed so far. It does a very good job visualizing the differences in files and has a lot of configuration options (such as how to interpret whitespace.) You create patch files, merge the changes together and even compare folder contents.

The feature I really like is Windows Explorer Context Menu integration. The context menu allows you to select two files in Windows Explorer and right-click and select the "Compare" option and instantly get a diff from those two files. There's also an option called "Compare To" which allows you to select a single file and then you can explore to another folder highlight a second file and select the "Compare" option to compare those two files. I really like this option. For me this is generally much more convienent than open the program and using an "Open" dialog to compare two files. I just find when I need to compare two files and I'm not already in Eclipse, then I'm probably looking at the files in Explorer—so the context menu integration is extremely convienent.


Configuring Windows Authentication with Apache 2.2.x and Subversion

I've been working on our development server at work to try to help streamline some process. This included upgrade Subversion and Apache to the latest versions and installing Trac (so we can better track software issues.)

In order to really simplify being able to give developers and contractors access to the appropriate areas, I wanted to try and simplify the process by configuring Apache to use Windows Authentication. This allows us to control who has access to what, just by making them members of the appropriate groups.

Since I'm new to Apache, this whole process has taken longer than what I wanted—but I certainly learned a lot in the process.


Using CFMAIL to send attachments stored in memory

Awhile back I was looking for a way to send e-mail attachments in CFMX without writing data to disk. That solution uses the Javamail API to directly send a e-mail with attachments to an SMTP server. This method also completely bypasses the CF mail spool.

Charlie Arehart linked to the article from an article he wrote about storing CFDOCUMENT and CFREPORT contents in a variable. In the comments on his post, Jon Wolski posted a solution that uses the built-in ColdFusion tags CFMAIL and CFMAILPART. So, I thought I'd re-do my original example using Jon's technique in this post—just so you can see an example of both methods.

Below is some source code that will show you how to use the CFMAIL tag to send a multipart message that contains:


Sending e-mail attachments in CFMX without writing data to disk

One of the many projects I'm currently working on is some code to delay sending of e-mails until a specified window of time. We're generating some report data for clients during the offhours, but the clients want the results e-mailed no earlier than 8am.

Our reports often contain images or other attachments that need to be included e-mails. One issue I really don't like about the implementation of CFMAIL in CFMX is that it requires attachments to be written to disk before you can send the mail. This means if I want to use the CFMAIL tag to deliver delayed e-mails, I would to manage attachments until I'm sure the message is delivered. I don't like that solution, so I set out to see if there might be other ways of generating attachments from binary data in memory. This lead me to researching the JavaMail API—which is the API that CFMAIL uses behind the scenes.

I quickly learned that even CFMX v7.02 still uses JavaMail v1.3.1—which is an older version of the API. One of the issues in v1.3.1 is that it does not include any classes for taking a binary stream from memory and converting to an attachment. It comes with a FileDataSource class—which will read in a file and convert it to the correct data source. This might be the reason that Macromedia/Adobe requires the file to be written to disk.


Using Eclipse v3.1 and Subclipse v1.0.3 with newer versions of TortoiseSVN

I recently upgraded a few of my installation of TortoiseSVN to the latest revision. Every since doing this, I've been unable to use Subclipse v1.0.3 (in Eclipse v3.1) to change repositories that have been touched with TortoiseSVN. This is because the newest version of TortoiseSVN using the v1.4 of the client libraries and Subclipse v1.0.3 is based on the old v1.3 client files.

Since one of my development boxes only has Eclipse w/Subclipse, it's been a pain to deal w/this compatibility issue. So, this morning I set out to find a solution to this issue.

Fortunately, I was able to find a post by Mark Phippard that addresses solving this issue (while for Subclipse v1.1.6 anyway.) I did run into an issue that apparently doesn't affect the newer version of Subclipse, but since I'm still using Eclipse v3.1 at the moment, I'm stuck using Subclipse v1.0.3.


CFMX UDF: Parsing a URI into a struct...

Ever needed to parse a qualified URI to examine a URL for specific information? I'm working on some code that needs to examine links in a document and extract information about the links.

To make sure I was doing things by the spec, I made sure to check out RFC2396. Fortunately, the RFC has a nice little regular expression for breaking a URI into it's core pieces: scheme, authority, path, query and fragment.

However, those core portions are still pretty broad. The authority can include user info, domain and port information. The path can include embedded parameters inside each segment. So, I took the core regular expression to break up a URI and then I do further parsing on the authority and path portions of the URI.


Fiddler Issue: Slow running HTTP requests on local IPs (i.e. 192.168.1.*)

For those of you using Fiddler HTTP Debugger (which is a great tool I've blogged about many times in the past,) there appears to be an issue when using IP addresses. This is especially noticable when using private subnet IP addresses (such as 192.168.1.*.)

The problem I was seeing was that requests to my developer server came to a crawl when using Fiddler. Speed to external domains was working fine. If I turned off capturing, speed resumed. I finally was able to figure out that by setting up a DNS entry, speed would resume.

Since this was slowing me down, I sent Eric Law, the developer of Fiddler, an e-mail message reporting the problem. He was very quick in researching the problem.