Archive for the 'Internet' Category

Schoorbs 1.0.0 released

Finally after about 1 year of development, the final, stable Schoorbs 1.0 is here! Schoorbs is a web based room and resource booking system. Schoorbs 1.0 has the following features:

  • book rooms & resources grouped by areas
  • activity could be log via a simple logging interface
  • code is automatically tested by several unit tests
  • easy stylable through the usage of a template system
  • produces valid XHTML 1.1 output
  • packages for Debian and Ubuntu are available
  • well documented on the Schoorbs website

Since Schoorbs is a fork of MRBS, we have to mention the changes since the fork:

  • flavoured GUI with mircoformats
  • Rewritten search inteface
  • Added a REST interface, so that Schoorbs could be used as a webservice
  • Refreshed GUI, compacter and more modern than MRBS
  • runs without register_globals=on and without an emulation of this (security!)
  • fixed several SQL injection possibilities
  • added a simple logging interface
  • removed complicated e-mail code
  • rewritten Javascript code to work in modern browsers (using jQuery)
  • Javascript and CSS are delivered compress -> speedup in enduser performance (thanks to Rainpress and Packr)

Links:

Tags: , , , , , , , , , , , , , , , , , , , , , ,

Share/Save/Bookmark

Always surprised about MRBS insecurity…

While I was fixing bug #4 of Schoorbs, I noticed this part in the JavaScript code of edit_entry.php. It really represents the loss of security in MRBS. Relying on input checking by client-side JavaScript is one of the big mistakes that was done in the dot-com time, but shouldn’t have been done in time of AJAX and more modern technics.

// check that a room(s) has been selected
// this is needed as edit_entry_handler does not check that a room(s)
// has been chosen
if( document.forms["main"].elements['rooms[]‘].selectedIndex == -1 )
{
alert(”{get_vocab text=”you_have_not_selected”}\n{get_vocab text=”valid_room”}”);
return false;
}

For all people who think client-side JavaScript input checking is secure: The input is not checked if your user hasn’t JavaScript enabled. An if someone really wants to do sth. bad, he won’t even use your HTML-Form to send his data to you, he would add it raw to the GET-parameters or the POST-data, because here is not restricted to the fields you give him.

Some MRBS insider would remark the {get_vocab …} statements which aren’t there in MRBS, this is only my Smarty-Replacement for the get_vocab()-PHP-function, I’ve ported this page a time ago to use Smarty as a template and I’m now analyzing the JavaScript code and refresh it with the use of jQuery.

Tags: , , , , ,

Share/Save/Bookmark

configure Thickbox dynamically

I just wanted to use on thickbox file for several environments(the same file available under several urls), but I noticed that I have to set the loadingAnimation-image-url statically, so I thought let’s change that and I made a patch, so that you just only need to set the variable TB_LoadingAnimation to the position of the image. I does not matter if you set it before or after loading thickbox.js. Here’s the code which I added on top of the thickbox.js file, it checks whether the variable is already set and if not sets it to the default.

// set the location of the animation shown
// while loading the content of a Thickbox
if(TB_LoadingAnimation === undefined) {
    var TB_LoadingAnimation = "images/loadingAnimation.gif";
}

Later in the thickbox.js I replaced the image url with the TB_LoadingAnimation variable. For those who want to use it, here I have for you:

technorati tags:, , , ,

Blogged with Flock

Share/Save/Bookmark

Lightbox2 now too

Just after I converted script.aculo.us to be used woth Drupal, here’s my version of Lightbox2 I just provide the js, please catch the rest on the Lightbox2 homepage. I can not really say, if it works, because I haven’t tested it (there was no ‘rake test’-testuite ;-) ). I was a long time user of Lightbox, but when I started to care about licences(I want to release some opensource scripts soon) I noticed that Lightbox2 is released under the CC-By 2.5, which GNU declares as GPL-incompatible, so I moved to Thickbox which works on the basis of jQuery which is much better when using Drupal (you need to load less javascript files).

As already known, here the 2 version of Lightbox2:

technorati tags:, , , , , , , ,

Blogged with Flock

Share/Save/Bookmark

script.aculo.us for Drupal

Because there seems to be a need for prototype/script.aculo.us/lightbox2 for some Drupal users I’ll continue converting those packages into a Drupal compatible spelling. This time I transformed the script.aculo.us(version 1.7.0) library to use $ID() instead of $(). All tests that went through with the original library did succed too on the transformed, so I hope there’s nothing broken. As before I added a JSJuicer compressed version, so that people do not need to bother about the size. In the next time(maybe already in the next hour I upload a transformed Lightbox2 to help to close a discussion at drupal.org).

But in my opinion I have to say that people might should consider to make their javascripts with jQuery if they are only used within a drupal-environment, you still need change it for use with Drupal since the $()-function isn’t the same.

In the end: grab script.aculo.us for Drupal:

technorati tags:, , , , , ,

Blogged with Flock

Share/Save/Bookmark