First of all we’ve outlined how to deal with some of the dependency issues we had not yet dealt with, such as less-than, less-than-or-equals-to and not-equals. Additionally we outlined how to deal with situations where a dependency defines 2 or more requirements (such as ["> 1.0.0", "<= 2.0.0"]). We’ve also added in support for listing all known versions of a specific gem by moving the notion of the latest gem version so it uses a prefix of latest and then putting one PTR for each version of the gem on the gem domain name.

In addition to working on the details of the spec we also got some data loaded! Thanks to the work Jeremy did previously on his Gemology project a lot of the code had already been written. I spent some time working on moving the code we needed into the rubygems-dns project while Jeremy worked on exporting the existing specs we needed from his database and writing an import script. While the implementation is far from complete I’m happy to say that you can actually query the DNS server now and answer questions with it.

First a query to list all of the versions of a gem. We’ll use the Sinatra gem as an example:


dig @ns8.dnsimple.com sinatra.index.rubygems.org PTR


The result will be an unordered list of PTR records, with each record representing a version with the version number in reverse order:


sinatra.index.rubygems.org. 86400 IN PTR 1.3.0.sinatra.index.rubygems.org.
sinatra.index.rubygems.org. 86400 IN PTR 0.1.0.sinatra.index.rubygems.org.
sinatra.index.rubygems.org. 86400 IN PTR 5.1.0.sinatra.index.rubygems.org.
sinatra.index.rubygems.org. 86400 IN PTR 6.1.0.sinatra.index.rubygems.org.
sinatra.index.rubygems.org. 86400 IN PTR 7.1.0.sinatra.index.rubygems.org.
sinatra.index.rubygems.org. 86400 IN PTR 0.2.0.sinatra.index.rubygems.org.
...snip...


So the first line indicates that there was a 0.3.1 version of Sinatra and line 2 indicates there was a 0.1.0 version of Sinatra.

Next, let’s get the latest version:


dig @ns8.dnsimple.com latest.sinatra.index.rubygems.org CNAME



latest.sinatra.index.rubygems.org. 600 IN CNAME e.0.3.1.sinatra.index.rubygems.org.


This shows us that 1.3.0.e is the latest sinatra version published (as of the snapshot).

Next, we can query for PTR records for that same name:


dig @ns8.dnsimple.com latest.sinatra.index.rubygems.org PTR



latest.sinatra.index.rubygems.org. 600 IN CNAME e.0.3.1.sinatra.index.rubygems.org.
e.0.3.1.sinatra.index.rubygems.org. 86400 IN PTR 1.tilt.index.rubygems.org.
e.0.3.1.sinatra.index.rubygems.org. 86400 IN PTR 1.rack.index.rubygems.org.


This shows us that the version 1.3.0.e has two runtime dependencies, tilt and rack, and that they require the latest version of the 1.x releases for each of those. We can then use:


dig @ns8.dnsimple.com 1.tilt.index.rubygems.org PTR


To show us that the latest version:


1.tilt.index.rubygems.org. 600 IN CNAME 2.3.1.tilt.index.rubygems.org


That’s it for now. There is more work to do, like encoding the <, <=, != and dependencies with 2 or more requirements, but this will at least give an example how this all might actually work.

The idea is this: make it easy for customers to assign a domain name to a particular resource. Specifically a customer should be able to buy a domain and then give out subdomains to others or allow them to purchase a subdomain. There should be an API of course, and the whole thing should be really easy to use.

As soon as the article was posted I started receiving tweets from people asking if this might be something interesting for DNSimple to consider. From a technical standpoint it makes sense that DNSimple could do this, likely as a separate service. I started thinking about how it could be implemented and came up with the idea of using NAPTR records as the mechanism for software to query to determine what URL a domain name points to. The second thing would be to include a URL forwarding entry so that if you hit the domain with a browser then you’d be redirected to the resource.

Let’s look at an example:

• Assume I have the domain anthony.com delegated to the name servers for this service.
• If I create an entry for twitter.anthony.com and point it to http://twitter.com/aeden then
• If I `dig twitter.anthonyeden.com naptr` then I would see
• twitter.anthony.com. 3600 IN NAPTR 0 1 "u" "n2u:uri" "!^.*$!http://twitter.com/aeden!" .
• If I browse to twitter.anthony.com then I would be URL forwarded to http://twitter.com/aeden with a 301 Redirect.

The concept is pretty straightforward. I’ve already created a simple prototype, but before I go any further I wanted to find out if there are other people interested in a service like this. Would you be willing to share revenue on sales of subdomains? Would you be willing and interested in integrating NAPTR DNS lookups in your software as a way to resolve a domain name to a URL?

Edit: There seems to be some question as to whether or not NAPTR records are really needed. Here’s why I think they are: A 301 redirect will work, however this means that a redirector server has to be hosted by the service that is providing the delegation, in addition to name servers. NAPTR, with adoption by clients (like browsers) means that the DNS record alone could provide all the details that client needs to make its next move. I think that this is a much more scalable long-term solution and thus I would propose that both a URL forwarding system and NAPTR records are useful for a redirect service.

The publicized motive for not having wifi is as follows:

“nowificonferences comes from the desire to give priority to people and interactions. We want people to come listen and share with each other. By removing the WiFi, we remove useless distractions so that the conference really happens between visitors, speakers and staff.”

It’s a reasonable desire but they’ve taken the wrong approach to achieve their goal. Here’s why:

1.) Not having WIFI only punishes those of us who do not have a 3G device, of which there are some, but likely not the majority, especially at a technical conference. Developers with 3G devices will still be online during talks, they will still find a corner to go have a conversation with someone online and likely some of them will even turn their devices into hotspots so others can use their connection.

2.) Not having WIFI means that having hands-on exchanges around specific technical projects or specific web sites becomes much more cumbersome for many and impossible for others. For a conference that is billed as being about the web it’s absurd to not have open and ready access to the web. When I go to a technical conference I often have at least one exchange that involves pulling out a laptop and showing off a site that’s being worked on or code that is interesting. Again, my guess is this will *still* happen, but over 3G.

3.) There are other means that encourage people to talk and share ideas that are more effective. For example, BizConf 2010 used Improv as a means to get the entire conference engaged in an activity that both broke the ice and encouraged attendees to learn the names of those around them. Many technical conferences are now running hacking spaces at the conference so people can get together and program, exchange techniques and ideas and share. Finally more than a few conferences are running parallel unconferences where people can create adhoc groups around topics of their choosing. All of these ideas approach the issue in a creative way rather than a way that penalizes attendees.

Aside from these reasons there are other practical reasons Wifi matters, from the ability to get emergency work done if necessary to the ability to dig deeper into an idea presented by a presenter to the simple act of following an interesting speaker on Twitter during their talk. These things will still happen, but no one will be thanking the organizers of Sudweb for making it happen.

Most likely the outcome of this decision by Sudweb will be that people who are disappointed by the lack of WIFI just won’t come to the conference at all. This is the real tragedy because the goal is to get people to show up and communicate face-to-face yet there’s a good chance that conversations that would have been will now never be.

Update 1: I just realized another aspect of Sudweb’s choice that bothers me. By dictating that there will be no WIFI because they want it to be about people connecting they are essentially treating their audience like children who need to be told how to behave. Rather than assuming that I, as a mature adult and conference attendee, can choose when, how and with whom I interact at a conference, they attempt to dictate this by setting certain conditions.

While I was there I gave a talk called “Why Ruby, Why Now?” at the first dyncon as well as a talk titled Harnessing Cucumber at Valtech Labs. The first talk was an introduction to Ruby. I have been itching to give an introductory talk for a while and I’m glad this gave me the chance. The audience was a bit more knowledgeable about Ruby than I expected, so some of the items weren’t new to them, however I believe there was still enough in the talk to keep people interested. I also blazed through it since it was right before lunch so maybe people were enthralled merely by my lightning-fast presentation skills. The presentation is available online on Github: https://github.com/aeden/presentation_why_ruby and was created using Scott Chacon’s Show Off.

The second talk I gave was an intermediate to advanced talk on Cucumber where I covered a lot of what I have learned about Cucumber over the last year of using it. Cucumber has become an important part of my test suites because it allows me to test the experience of using my software. This talk covered some of the various command-line switches and cucumber.yml configuration options in the first section and then moves onto testing APIs and CLIs. I’ve found that testing both of these interfaces to my applications has helped tremendously in improving the application and at the same time providing a safety net for refactoring, which is exactly what I want from Cucumber. This talk is available as a PDF and was created using Keynote.

I appreciate the support from both of the audiences and the discussions that followed both talks and I look forward to the opportunity to visit Stockholm again in the not-to-distant future. Thanks as well to Peter Svensson for putting together dyncon and to Peter Lind for opening up the Valtech offices for my talk there.

I started considering the idea of using Superfeedr well over six months ago, but still had concerns about their stability and viability – ultimately I got over that and realized that I need to outsource this part of chi.mp. This week I finally pushed out code for chi.mp that uses SuperFeedr’s PubSubHubBub hub to receive feed updates. Initially I used their XMPP interface, however after repeated encouragement from Julien @ Superfeedr I made the switch over to PubSubHubBub with only a small amount of work.

I still have to move a bunch of feeds over to use Superfeedr but I feel at least part of the burden of managing all of these various feeds beginning to leave my shoulders, and for that I am very thankful.

What are the specifics? For $10/month you can to manage up to 50 domains using DNSimple. Each domain can have as many records as you need. Our DNS servers are updated almost instantly as you add records to your domain. We support TTL times as low as 1 minute. Repetitive changes can be set up as templates and we already include a default template for setting up Google MX records for domains that host their mail at Google.

I look forward to getting feedback on what you think of the service, what could be improved and what if anything would keep you from adopting it. You can either contact me via email or send me a message on Twitter. Thanks!

First of all let’s look at the most obvious attack vector, which is pretty simple: a malicious user would enter a script into the person name field and save that and then it would execute the script when the person is rendered in the person list. First I verified that this attack vector worked, and yes it did work, so then I considered where the value entered by the user needed to be sanitized. It’s pretty straightforward to sanitize the rendering when Rails is involved, just add the h() helper before the name output in the listing, so line 4 of index.html.erb becomes:

This is a fairly standard idiom in Rails (not necessarily the best way to sanitize user input, but the most common way to do it). This fix only fixes the problem when the page is rendered by Rails, but it does not address the issue for items that are added via Ajax, and here is where things get a bit tricky.

You’d think that sanitizing user input in JavaScript would be fairly easy, and to be clear you can do it with the JavaScript escape() function, however this results in some pretty ugly percent-encoded content (which may or may not matter to you. I was curious though whether there was something similar to the h() helper in Rails available in JavaScript. There is but finding it proved to be a bit of a challenge.

What I ended up doing what searching Stack Overflow for solutions that others had come up with and eventually landed upon this bit of code: http://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/plugin/html-sanitizer.js. Unfortunately this bit of code by itself doesn’t work unless you have another JS library (html4) and that library requires building with Ant. Fortunately additional searching led me to a minified version with everything already compiled. I’ve included this minified library as html-sanitizer-minified.js and added a call to html_santize before rendering the person name in the JavaScript as such:

..and it works. I’ve deployed this fix to http://rails-jquery-unobtrusive.heroku.com/ and have updated the github repo so you can see the changes in action.

So is this the best solution for handling user input and avoiding XSS when you want to build HTML in JavaScript? I’m not sure. It’s probably not the only solution so feel free to add yours in the comments below. Also, consider this a warning if you are developing JavaScript code that builds and renders HTML: tainted user input is a threat and you need to deal with it.

If you want to go straight to the code it is available on Github: http://github.com/aeden/unobtrusive-jquery-example. I have also put a live demo on this up on Heroku: http://rails-jquery-unobtrusive.heroku.com.

Rather than going through all of the steps needed to set up a Rails app, the best thing to do is to follow along in the code from the example above.

First let’s take a look at the PeopleController (app/controllers/people_controller.rb):

This looks like a fairly normal RESTful controller. The one exception is the delete method, which will be used by browsers that have JavaScript turned off to provide a page that 1.) confirms that the record should be deleted and 2.) has a form that can post to the destroy method.

Next, let’s take a look at the index view:

There is a list of people with each person having a delete link next to their name. The delete link points to /person/:id/delete which will execute the delete action that I mentioned above (I’ll show you how to remove the “/delete” part of that link with JavaScript later). There is also a form for adding a new person. Note that there is no JavaScript in this page, just normal HTML elements with classes.

While we’re looking at views, let’s look at the only other view, the delete view:

This is just a simple form that confirms that they want to delete the user and provides a cancel link back to the people_url if they don’t. Note that the form tag uses the REST-ful URL for accessing the resource and sets ‘_method’ to ‘delete’ in the hidden field tag.

Finally, let’s take a look at the most complicated bit, the jQuery JavaScript. To make things easier to follow I’ll go through it piece by piece, starting with the document ready handler:

This is the jQuery way for executing code when the document has finished loading. All it does is call two methods, one for connecting up the add form and one for connecting up the delete links. To keep things organized and namespaced a bit I placed these two methods onto a JS object called ‘Actions’. First, the connectAddForm implementation:

This function finds the form element with the class “people” and attaches an event handler to the submit event. When the form is submitted an AJAX POST is made. The data type is JSON, which will call the ‘create’ action in the people controller with the accepts type set to a value that triggers Rails to render JSON as the response. The form is serialized and passed as data and when a successful response is received a bit of HTML is appended to the people list and the person name field is cleared.

Now for the connect delete links JavaScript:

Here each element that is in the people list that matches the selector a.delete and adds a click handler to it. Notice that I used the jQuery live method here, the benefit being that as new records are added, and new elements that match the selector expression are added automatically get the click handler that I define here. This saves me from the trouble of having to add the handler each time that a record is added to the page. The click handler first finds the li that it may eventually delete, displays a confirmation message to the viewer and if they confirm that they want to delete the record it will post via AJAX to the /person/:id URL with the method ‘delete’. The URL is pulled from the anchor’s href attribute and the ‘/delete’ is removed using a simple regular expression replace. Upon a successful delete the li that was found earlier is hidden using the slideToggle() function.

That’s it. You can try this in a browser either with JavaScript turned on, in which case it’ll use all of the JavaScript goodness, or you can turn of JavaScript and see the magic of graceful degradation. I hope you’ve enjoyed reading this little tutorial and if you have any suggestions on how to improve the code in the project please feel free to fork the github project, make your changes and send me a pull request. I’ll add any cool mods into the tutorial as I can.

Update: I’ve published a follow-on article that talks about changes to the code for this tutorial to handle sanitizing user input both in Rails and in JavaScript. I suggest reading it to understand XSS vulnerabilities that you need to deal with when accepting user input.