Leveling-Up at Javascript: Understanding the Confusing Bits

This week I presented at cf.Objective() 2014 in Bloomington, MN. As always, the conference was wonderful, the people were great, and the fun was plentiful. I met some new people, and saw lots of old friends.

I presented on Thursday afternoon and had a full room. It felt wonderful to have such a popular session, but I apologize to those who had to stand in the back.

Anyway, here is my slide deck. Please feel free to offer your feedback, positive or negative. If you attended the conference, please do so (for my session and others that yo attended) in the conference mobile app. Otherwise, feel free to leave a comment or send me a message through my contact form.

Leveling-Up at Javascript: Understanding the Confusing Bits (PDF)

Thank you speakers and attendees for making this cf.Objective() another wonderful event. As a member of the Steering Committee and Content Advisory Board (CAB) I cannot thank you enough for your work, attendance, and your delightful personalities. I look forward to seeing you all again next year at the 10th cf.Objective() conference, May 12-15, 2015 at the Radisson Blu - Mall of America, Bloomington, MN.

See you then!


Dynamically loading the correct PhoneGap.js file for Android or iPhone

I am in the process of putting together a mobile development class and have been trying to figure out the best ways to get students who are new to PhoneGap and Mobile development going on cross-platform development. One of the issues I have been trying to solve is the fact that PhoneGap apps use a different phonegap.js file on each platform. This is a problem that I do not feel is well documented and one that is not easily and cleanly solved.

Since PhoneGap applications require these different JS files I have been unable to find a good way to start building a PhoneGap application in, for example, Eclipse with the Android Development Tool as an Android project and then be able to quickly and easily switch over to XCode and launch the same application as an iOS app. I always need to go and replace the phonegap.js file with the iOS one first and then switch it back before I go back to working in Android. Not a great workflow.

I could probably solve the problem with custom build scripts. I could set up build scripts for both iOS and Android to properly retrieve the correct file and stuff it into the build prior to compilation, but this is not something I want to take the time to do in the classroom (I also don't want the students to have to worry about trying to set up ANT at home). This also prevents me from having an application that can simply be downloaded from GitHub and run without modification. It's also more code to manage. I would need to maintain X number of build scripts (one for each platform) for all of my projects. Sounds like a PITA.


XSS mitigation in ColdFusion, Part 1: Understanding HTML Contexts - Security Series #8.5.1

A long, long time has passed since my first post on Cross-Site Scripting. Looking back on it now, I realize that I have learned a lot since then. I do not think that post cuts the mustard anymore and I will need to do some writing to make up for that.

In the meantime, the topic of XSS came up on a discussion board a few weeks before I started writing this, and again on Ray's blog today, and I wanted to take some time to explore it in more depth. One common misconception about XSS mitigation in ColdFusion is that the best way to handle it is to use HTMLEditFormat() to output any user generated data. I had this same misconception for a long time and have helped to spread it.

While it is true that HTMLEditFormat() can stop many attacks in many locations in your applications, it is not a catch all for XSS. HTMLEditFormat() only works in the HTML block content context of your applications. Your applications have several other contexts where, if you use dynamic code, you can open up XSS vulnerabilities that HTMLEditFormat() cannot stop.

In this post, we will discuss these contexts, what the are, and why they need to be treated differently.


Practical Ajax Security on the ColdFusion Meetup this Thursday

This Thursday at 12:00 EST I will be presenting "Practical Ajax Security" for the Online ColdFusion Meetup.

This is a presentation that I did at cf.Objective(), CFUnited, and NCDevCon. I am very pleased to be able to now present it online for those that could not attend those events.

Here is the topic description:

ith the introduction of Rich Internet Applications (RIAs) over the last several years, it seems that everyone is jumping on the RIA bandwagon. But is any thought being given to what might need to be done to ensure that our Web 2.0 applications are secure? Or are they are not introducing new vulnerabilities into existing applications? In this presentation, we will look at some of the security issues that can arise from introducing Ajax into your applications and about how to mitigate the risks of opening up remote services for Ajax.

I look forward to seeing you there.


As always, thank you to Charlie Arehart for all you do for the community and for continuing the Online ColdFusion Meetup for all this time. It is, without question, one of the most valuable resources for our community.

What's Possible with XSS? - Security Series #8.1

So now that the hacker has discovered an XSS vulnerability in your site, what can he do with it? A JavaScript alert('XSS') seems pretty harmless, doesn't it?

Once a malicious user has discovered an XSS vulnerability in your web application, the sky is really the limit. The potential damage also goes beyond the scope of just your site and your users.

Here are a few examples of nefariousness that could be perpetrated via XSS in a website. A hacker could:

  • use the credibility of your site to run a phishing scheme
  • steal your users' passwords
  • hijack your users' sessions
  • try to launch an attack against the site administrator (you)
  • redirect your users to another site (gambling, porn, Google, affiliate link, whatever)
  • display inappropriate or mis-informative messages to your users
  • Or anything else that could be done with client-side executable code

How would they do those things? It's actually quite simple.


My Presentation slides from cf.Objective, NCDevCon, and CFUnited

I keep forgetting to do this. Sorry :(

I have given three presentations so far this year, and I will have 2 or three more et before the end of the year. Here are the slides for the first three in both Keynote and PDF formats.


My review of NCDevCon 2010

This last weekend I attended, and spoke at, NCDevCon 2010 in Raleigh, NC. As expected, NCDevCon was a great conference put on by an amazing crew of dedicated volunteers.


The content of this conference was very different than last year's CFinNC. Personally, I think the content this year appealed to a much wider audience. Last year's conference was clearly more focused on ColdFusion, CFML and Flex. This year, the focus seems to be more on Web Development, RIA's, and more general topics, yet with hands-on sessions that promoted the education of non-CF and Flex people on those technologies. I thought it was a great plan.


I will be speaking at cf.Objective() 2010 on Security Topics (duh)

I received word last week that two of the topic proposals I submitted to the cf.Objective() planning committee were accepted. I am very excited and honored by this. It's nice to know that people think what I have to say is worth while.

You may have guessed that I will be talking about security, since that seems to be what I enjoy talking about most. But this year will be a little different.


Using SQLite Databases with AIR - Part 7 - Looping over Query results (also with jQuery)

I think that I have neglected to cover one of the most important parts of working with SQLite databases in Adobe AIR, and that is how to get the results out of the query. We talked about making queries, parameterizing queries, using transactions with queries. But I don't think we have covered getting the data out of the queries.

So let's do that.


Using SQLite Databases with AIR - Part 6 - Transactions

Transactions is SQL statements are something that I have come to love. I'm sure you have too. But for those that don't know what transactional control in a database management system is, we'll start with a definition.

Usually, when doing multiple SQL statements in a row in an application, each SQL statement is handled as a atomic unit and is committed permanently to the database before the next one is run. This can be very problematic when those queries depend on each other to work properly to maintain data integrity.


More Entries

BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner