Protecting your HTML pages from Spam Harvester Bots
Today I was reading a post on a message list and someone mentioned they were using a function to generate their mailto: links using HTML entities instead of the ASCII characters in order to prevent spam harvesters from snagging the e-mail address. The problem with this method, is it would be pretty easy for a harvester to re-encode the HTML entities back into the correct ASCII characters.
This got me think that the best method would involve using JavaScript to write out the link. In order for a spam harvester bot to parse out the e-mail address, they'd have to understand the context of the page. This means they'd either have to actually parse the page into a DOM object and parse the DOM, or they'd have to specifically knowledge of the function and reverse engineer the links to the function. Either method is probably more than what most harvesting bots are going to use (although this could always change.)
So, I spent a few minutes and whipped up the following code. The spamProtector() JS function takes in an array of ASCII character codes, which will be used to generate the mailto: links. I obfuscated the document.write() statement by breaking the string into chunks in order to throw off any parsers looking for certain strings.
Yahoo! releases new User Interface Library JavaScript APIs
Yahoo has released a pretty impressive collection of JavaScript libraries on their Developer Network. The new libraries are collection they're calling Yahoo! User Interface Library. The new UI library consists of about everything you need to build modern web applications—AJAX (Connection Manager), animation effects, drag-n-drop effects, event handlers and basic DOM umbrella for miscellaneous DHTML handling.
They've even released a few nifty UI controls (widgets) that seem pretty feature rich. These include a Calendar, Slider and a TreeView control. The slider control seems very solid and I like the "task" mode of the TreeView control (it allows you to place checkmarks next to the tree items—which would be useful in removing nodes from a tree.)
I'd also recommend checking out the new Yahoo! User Interface Blog, which is designed to talk about changes and additions to the UI Library. They've also published a Design Pattern Library which talks about common design problems and provides some solutions. They Design Pattern Library has an interesting entry on "Auto Complete", but they have not yet posted any actual code.
SeeFusion Trace Tag
I was needing to do some debugging on a live server today. I had some code that was not performing the way it should have been, so I want to use SeeFusion's trace() method to dump out some information to the debug log so I could find out exactly what line was causing the problem.
Anyway, instead of invoking a reference to the SeeFusion Java object, and manually putting in trace() methods, I thought I'd write up a little CF tag that would manage the creation of the object in the Request scope and dump out the trace methods for me, as I felt this would speed up being able to quickly insert a SeeFusion trace.
There's nothing fancy going on here, but I thought I'd just share the tag in case it saves anyone some time. I'd recommend saving this file as "seefusion.cfm" in your default ColdFusion Custom Tag directory. That will make it available to any template without having to worry about any mappings.
Adaptive Path releases excellent Date Slider widget
The guys over at Adaptive Path have released a Flash-based Date Slider that can be controlled via JavaScript.
The Data Slider widget is pretty darn slick. What makes this Date Slider unique is that it is design to show a bar graph of results and you use the slider to narrow down to a specific date range. You could then use the selected range to zoom in on the data, or maybe show a detailed report history from that time frame. Here's a screenshot:
Microsoft releases "official" WMF patch
A follow up from my blog post on Wednesday. Looks like peer pressure really got to Microsoft. An official patch to the WMF vulnerability was released late yesterday. If you don't have your PC set to automatically update, make sure to go visit the Windows Update site (make sure you're using Internet Explorer) and patch your system ASAP.
So much for Microsoft sticking to their patch release schedule. Personally, I'm glad they didn't wait. They should be releasing patches as they're available. If corporations want to wait and release things on a schedule, that's fine, but let us contractors and personal users fix our computers as quickly as possible.
WMF Hotfix for nasty Windows vulnerability
This isn't exactly breaking news, but there's a very nasty bug in Windows 2000, XP and 2003 that has just recently been revealed being called the "WMF vulnerability." The bug has to do with a vulnerable function in GDI32.DLL library that can allow a malicious hacker/web site to install a virus/spyware on your computer.
What makes this bug extremely dangerous is any program that views images (such as Internet Explorer, Firefox, etc) is vulnerable.
Microsoft is claiming that there will not be an "official" patch for this bug until next week. However, this thing is nasty enough that everyone running Windows 2000, XP or 2003 should take some kind of action now.
New Version of Fiddler HTTP Debugging Proxy Available - Critical Security Update
I just noticed that there's a new version of Eric Lawrence's Fiddler HTTP debugging proxy available. This update claims to be critical security update and it's recommended you update immeditately.
For those of you who don't know, Fiddler is a great way tool for monitoring the HTTP traffic on your box. If you're doing any kind of RPC (web services, Flash remoting, AJAX) over HTTP, then this application is a must have.
Here's what's in the new version:
Firefox - Upgrade JavaScript Console Extension
Jim Rutherford over at Digital Media Minute blogged about a next generation JavaScript console which is a Firefox v1.5 extension called Console².
This extension adds a lot of necessary functions to the Firefox JavaScript Console window (which is renamed "Error Console") such as: sorting errors, filtering errors by type (CSS, JS, XML) and you can even search over the errors.
One tip, the "Clear" button isn't on the toolbar by default. To add it you'll need to right-click the toolbar and choose "Customize". Not sure why they didn't add the "Clear" button by default—seems like a button that's absolutely necessary. I know it's a button I use pretty much any time I have the JavaScript console open.
MD5 Collision Attack Code Released
I missed this on Slashdot (since I rarely read it anymore,) but thanks to Cameron's blog post I caught this piece of news. The first code has been released that shows how to find collisions in the MD5 algorithm. Essentially this means two completely different source files can be salted to produce the same string. In a nutshell, if you're relying on an MD5 hash to gaurentee the integrity of a file, you have problems—especially if you're relying on it producing unique, secure hash strings.
For a good layman explanation of the problem and the exploit, Magnus Daum & Stefan Lucks have published a really good article over at CITS titled Attacking Hash Functions by Poisoned Messages "The Story of Alice and her Boss".
Programmatically Reading ColdFusion's Mail "Spool Interval" Setting
I was working on some code today and needed to determine what the value of the "Spool Interval" was in the CF Administrator. After playing around for a few minutes, this is what I came up with. This code uses non-documented functionality, but I've tested the code under CFMX 6.1 and CFMX 7 and it seems to work fine. Obviously, if Macromedia changes internal workings of ColdFusion, this code may break in the future.
<cfobject
action="create"
type="java"
class="coldfusion.server.ServiceFactory"
name="oFactory"
/>
<!---// get the mail spool service //--->
<cfset oMailSpool = oFactory.getMailSpoolService()>
<!---// get the mail spool interval schedule in seconds //--->
<cfset iSpoolInterval = (oMailSpool.getSchedule() / 1000)>
BlackDog - Portable USB-Powered Linux Server...
Came across this pretty cool little product called BlackDog. It's basic a 400Mhz PowerPC Processor with Debian-based Linux in a plug-n-play USB box. Could be very useful portable development server. Check it out.
BlackDog offers open source developers an exciting new platform for mobilizing software applications. BlackDog represents a new breed of device that redefines what a 'computer' is. It can be programmed to carry your applications, data, web sites, desktop look and feel, with you, wherever you may go.
Develop applications and deploy them on BlackDog then launch and automatically project them onto a Windows PC. Design an interface, spin and run a web site, run a video game.
Program It — Port It — Plug It — Pull It, throw it in your pocket and do what you will with it — With BlackDog you 'can' take it with you!
Firefox Tip: Use Multi-line URLs When Pasting Into The Address Bar
Andrei Zmievski posted a cool little blog entry on how to get Firefox to parse a mutli-line URL. This tip is very handy when cutting and pasting URLs from an e-mail or from a message board where the URL spans multiple lines.
Here's another Mozilla/Firefox tip: if you copy a URL wrapped over multiple lines from somewhere and try to paste it into the address bar, you will end up only with the first line of it. To fix it, go to about:config and change editor.singleLine.pasteNewlines setting to 3 or add:
user_pref("editor.singleLine.pasteNewlines", 3);to your user.js file. Now all the line breaks will be removed upon pasting.
This has always been a big pain in the arse. In the past I've always ended up having to open up a text editor, paste the URL and then strip out the new lines. This will be a real time saver!
Is This Really Mac OS X v10.4.1 Running On A PC?
Gizmodo posted a screen shot of someone supposedly running Mac OS X v10.4.1 via a VMWare session. While I'm hoping this news is true, I'm suspected this is probably a fake screenshot. I've looked through VMWare's web site and can't find anything about upcoming support for the Mac OS X. I suspect this is just a rumor based on the fact that Apple has announced their plans to move to Intel-based processors.
However, the fact that Apple is making this move, it would see feasible that you could write a virtual machine to emulate the Apple specific hardware. It sure would be nice to be able to open up an Mac OS VM to test sites on the Mac. ;)
Getting A Thread Dump From CFMX Using StackTrace...
Brandon Purcell spawned off a serious of interested blog posts today when he posted his Obtaining a Thread Dump with ColdFusion or JRun running as a Windows Service. He talks about called StackTrace which you can use to get a trace dump of any running Java process (including applets running in the browser.) I download the application, but have yet to install it.
Anyway, Brandon's post spawned off an interested post by Steven Erat in which he points to the Debugging Stack Traces in ColdFusion MX technote on Macromedia's web site.
Both of these posts are worth reading and will definitely be useful for debugging in those times were CF crashes unexpectedly.
Remote Control You User's PC via a URL...
Sean Tierney blogged about a pretty cool little open source project called UltraVNC Single-Click.
Basically if you're running Windows and you need tech support from me, I point you to an executable on my site and it gives me VNC control over your system. What this means is no more 30min tech support sessions with relatives walking them through the process of troubleshooting a faulty device driver or some other obscure problem over the phone ("what do you see now?"). No matter what computer they're working on you send them to a URL and take control of their system remotely and let them watch how you fix it. And if you want to take it a step further and preserve the solution as a movie so they can reference it later, use this cross-platform VNC2SWF screen recorder (like camtasia only for a VNC session).