CPTTM software developer newsletter issue #11

Dear Software Developers,

This CPTTM Software Developer newsletter is to bring useful news to you, software developers in Macau, for references without obligations, so that you can do your jobs easier and better! Hope you like it. if you'd like to unsubscribe or recommend your friends to subscribe, just let me know. Old issues are available here.

Kent Tong, Editor in Chief

Topics in this issue:

What is cross site scripting and how to prevent it?
A case study on Scrum and XP with a team of 40 people
Your app may break in IE7 and Vista
Eclipse tip (Contributed by Gary Mak)
Getting published?

What is cross site scripting and how to prevent it?

In preparing for a course on writing secure code in Java, I performed a very simple security test on four web sites (three are high profile, high traffic sites). It took me less than 10 minutes to found that two (50%) were vulnerable to a problem known as cross-site scripting (XSS). Basically it means a hacker can create a link to the vulnerable web site and send it to unsuspecting users. If a user clicks on that link, the hacker can modify the web page at wish, including creating a fake login form that sends the user's password to his own web site. If this happens to your site, this can be a disaster to the image of your organization.

How can this happen? For example, suppose that your site allows a user to enter a keyword for searching. Then the result page will display the keyword again with the search results. If the keyword is something like "<script>....</script>", your result page will output it as Javascript to be executed on the user's browser. And that script can alter the HTML page at wish.

How to prevent this? Whenever you need to output user-supplied data to a page, make sure it is encoded (e.g., convert "<" into "<"):

Technology used	How to encode the output
JSP	Use the JSTL: <c:out value="..."/>
Servlet	Use the StringEscapeUtils to encode the data
Tapestry	This is done automatically by all components unless you explicitly disable it
ASP.NET	Use the HttpUtility.HtmlEncode() method
PHP	Use the htmlspecialchars() method

A case study on Scrum and XP with a team of 40 people

Quoted:

The company was in a tough situation with high overtime, severe quality problems, constant firefighting, missed deadlines, etc.

Sounds familiar? To see how the author applied Scrum and XP to the rescue, get the paper here.

Your app may break in IE7 and Vista

IE7 in Vista runs in "protected mode" by default. Even if the user is the administrator, IE7 will still run with low privileges and will be to write to the registry or create files at arbitrary locations. This is good so that viruses can't infect the computer. However, if your app requires doing any of the above, it will break. For more details, see here.

Eclipse tip (Contributed by Gary Mak)

在Eclipse中若想為某個Method增加一些註釋，只需在Method的前一行鍵入"/**"：
javadoc

按下Enter，整個Method的Javadoc框架就會自動完成，其中還包括有Parameter的說明：

同時，在Javadoc中也可以使用Content Assist功能，例如在@param後面按"Alt + /"組合鍵則可以選擇需要說明的Parameter：

Getting published?

We have been invited by LinuxPilot to contribute articles on open source technologies such as Eclipse. If you're interested in writing articles to be published by this largest Chinese magazine in open source (and by this newsletter), let me know. Our instructor, Mr. Gary Mak will be doing so. Look for his articles in the upcoming issues of LinuxPilot.

Feedbacks

Have any questions, ideas or experiences regarding software development? Contact me at 28781313 or kent at cpttm dot org dot mo.

Until next time,

Kent Tong