New bike
April 2nd, 2012 | Sport
Spring is here and I finally went down to the bike store to get my new bike! It’s a cyclo-cross, so basically an off-road capable road bike. Will be doing some modifications soon to make it more touring friendly (eg. adding lights, bottle holder, rear rack and bags). And of course a cyclocomputer (old one is busted and left it in Singapore) and perhaps even a bike GPS.
Did a short ride yesterday, roughly 40km. Felt good but will definitely need a more comfortable saddle for longer distances. Hoping for good weather the next couple of weekends to start training for a 300km bike trip to the alps!
Ruby conference: wroc_love.rb
March 2nd, 2012 | Conference
I just heard about wroc_love.rb happening next weekend and so grabbed the tickets at 55 EUR instead of the full price. Psyched to visit Poland for the first time, though I wished I had more time there! Interesting line-up of talks there, so this should be good.
Unrestricted and secure web surfing
September 5th, 2010 | General, Linux
One major annoyance when surfing the web from Internet censoring countries like China and the UAE is the inability to access websites I frequent, such as Flickr.
Fortunately, there are many ways to circumvent this. The most common method is to modify your web browser’s network configuration to use a proxy server that is located in a non-Internet censored country. Such demand has spawned an entire industry of free as well as paid proxy and VPN server services.
My preferred solution is to tunnel web traffic from my laptop through my desktop computer in Germany. It is over VPN so it is secure, trusted, and free. Since I’m running Linux on both computers, setting up the tunnel is as easy as running the following command on my laptop:
ssh -C2qTnNf -D 8080 sentosa.suse.de
Then change the network connection settings of my web browser to use SOCKS host 127.0.0.1 on port 8080. That is all.
Network proxy settings in Google Chrome.
Updated LAMP stacks on SUSE Gallery
September 2nd, 2010 | Linux, SUSE Studio
It has been some time since openSUSE 11.3 was released, so I figured it is about time I updated my LAMP (Linux, Apache, MySQL, PHP/Python/Perl) appliances on SUSE Gallery, which was based on openSUSE 11.2.
Here are the links to the appliances (login required):
Cross-site scripting protection in Rails
June 20th, 2010 | Coding, Rails
Cross-site scripting (XSS) is a type of vulnerability found in many websites. It is a loophole that allows malicious users to inject arbitrary Javascript, causing annoying pop-ups/redirects or worse, stealing account/session information from user cookies.
XSS injection is easily avoided by escaping all user input. Unfortunately many web frameworks don’t do this automatically, leaving the tedious and error-prone task of escaping/scrubbing every single user input field that needs to be displayed to the developers.
One can easily test if a site is vulnerable to XSS by copying and pasting the following Javascript snippet into a form field that will have its contents displayed (eg. in a blog post comment):
<script> alert("XSS vulnerable!"); </script>
If you get a pop-up displaying the message “XSS vulnerable!” when you reload the page, then you’ve just succeeded with XSS injection.
Having a secure website by preventing XSS injection (and other types of attacks) consistently throughout our site is very important to us. As the number of developers in our team amount of code committed daily grew, it was increasingly difficult and time consuming to ensure that every single user submitted field is handled safely.
At the time (early 2009), we were using Rails 2.1.2 and although there were several plug-ins like SafeERB and xss_terminate, they did not fit our needs exactly. We liked xss-shield, but it only worked for Rails 1. So I rewrote it to work with Rails 2.1 and later updated it for Rails 2.3. Since then rails_xss has emerged as the de-facto XSS plug-in (it is merged into Rails 3) and so we have switched over to that (thanks to André Duffeck who did the actual work).
I’m very glad that Rails 3 now escapes all strings in views by default, which is really the sane thing to do. If you’re using Rails 2 and not already using rails_xss, I suggest that you do so as soon as possible. Since it is part of Rails 3, it will make the Rails 2 to 3 migration a tad bit easier too. If you’re still on Rails 2.3.5, use this version.
Here’s a summary of the how the different plug-ins and Rails versions handle strings in views:
<%= @post.body %>
<%= h @post.body %>
<%= @post.body.xss_safe %>
<%= @post.body %>
<%= raw @post.body %> <%# or the following %> <%= @post.body.html_safe %>
<%= @post.body %>
If you want to get a quick overview of XSS in Rails 3, check out this screen cast.
RSS feed