You're correct that the script tag will not show. However, we train our testers to use special characters, including < and >, in their test data. It happens that the environment in which we spotted the vulnerability was our QA environment.
The 3D view definitely makes it a bit more visible, but as someone who has spent a considerable amount of time testing XSS filters, it's not all that useful, since you generally know exactly where in the output your input will be, and also because looking at the raw output (not the constructed DOM tree) is a better way to identify XSS vulns.
It's a cool observation nonetheless, and props for catching XSS vulns in your QA environment, not production ;)
Agreed. The 3D view is definitely a cool thing no doubt, but I'm not really seeing it as much use for preventing XSS vulnerabilities. That being said, I think the author of the post recognized this and was just sharing that it could rarely help.
Agreed. It's good to be aware of it as a developer.
In our case it was lucky that we happened to view a page with a vulnerability, and there happened to be data that would be interpreted as an HTML tag. However, I believe in probability. Nothing is certain and so we try to put in place practices that will increase the probability of finding errors, etc.
The 3D view is just another little wrench in our toolbelt that increases our odds.
What, in your eyes, is a better indicator of hacker news liking or not liking something? Is it the over 400 points or the stream of hate coming at them in the comments?
Sometimes these redesigns reek of audacity, sometimes they're just not done very well. In any case, hostility is not necessary to make that point. The situation is not so dire that we need to be mean to someone to tell them we don't like something. It's hard to share what you've done with the world, and it's even harder when many people from a community you respect will shit on you in the case you overlook something.
I don't mean to be impolite, but don't try and pass your anger that something has 400 points on hacker news for some sort of tough-love criticism.
Has anyone else experienced the slowness the author described with Vim? I think it's possible he may be experiencing slow terminal update time (the OS X terminal is really slow in the scenario he described) instead of Vim being the culprit. MacVim, for example, doesn't have this problem, in my experience.
I am not certain about this, but I think true TrueType fonts are only slightly improved by font smoothing technologies like ClearType and Quartz. Where as fonts made specifically to be used with ClearType look like utter crap on LCDs without it.
And that is Microsoft's way to embrace and extend TrueType fonts in a proprietary way, make them look like shit without the Microsoft proprietary ClearType.
Obviously this can't be true for all fonts, but if enough people, running MS Windows on LCDs experience the difference, then perhaps Microsoft can create the perception that ClearType is essential for any font to look good.
That's what I was trying to get to above, Microsoft has clearly embraced web fonts, will it also try to extend them in a proprietary way?
I highly doubt writers can work the same way. Anyone doing any type of creative work needs these types of breaks. Similarly, one article published without adequate editing/fact-checking can do wonders to destroy the credibility of a blog...
To be fair, newspapers aren't written for experts. That doesn't excuse a lot of crap from newspapers, but they're writing for an audience that isn't necessarily well-versed in all the subjects, for better or worse.
The point isn't that they should pander to experts. The point is that they're wrong more often than they're right; seriously, factually, inarguably incorrect.
I don't think he's referring to the fact that newspapers aren't written for an expert audience. I think he's referring to their routine inaccuracies and errors. That's what I get from it, being a expert who's cringed at quite a few press articles.
The errors aren't acceptable, but the inaccuracies are almost always because reporters try to dumb down a concept so much, that the concept loses all nuance. It's basically if Simple English Wikipedia were the norm.
From experience creative writing (IE Fiction, journal-columns (life blogging), reviews, even a lot of non-fiction) are hard to force. It takes a lot of breaks and 'spur of the moment' events to the point I use my iPhone for writing so when I get that urge it doesn't matter if I'm on lunch at my day job or waiting at a bus stop, or as often the case, on the toilet.
Newspaper journalism I believe can be forced. IMO it's like high school essay writing, you find your source and you just learn to churn. With some newspapers this can be so bad that you notice the 'filler' attempts where about 2/3 of the way through they go into "summary" mode and simply pad the ending of the article with the exact same info they had in the first 1/3.
By 'from experience' I mean I've worked as a reviewer, I've got my own personal blog (one of my pieces actually hit the front page of HN back in the 1Q of 2011 IIRC, and a few have popped up other places) and I'm now pushing through for a novel - I've had one short story published and a lot of editor comments (which is great, I've never received a form rejection letter, even from places that are notorious for them; my problem is that with a short story I see little point of struggling to edit it on the chance someone might say yes, when I might as well learn my mistake and write something else because there's always the chance a story will grab an editor and they'll say 'hell, I can fix the mistakes' - and having worked as a reviewer I trust editors to fix problems I don't know are problems)
Like the guy who posted the automated sports writer, it's not difficult to take the stats and say "Campbell scored a last minute goal winning the game" when campbell was the last person to score and it happened in the last minute of play. It's merely filtering data and rewriting a standard comment.
It's not far from news of a house fire: did the house burn down? yes/no; if no make 'devastating' comment. was people caught inside? yes/no; if yes did they survive? yes/no; if no make 'tragedy' comment; if yes did they escape? yes/no; if yes make 'valiant escape' comment / if no make 'heroic rescue' comment.
It's quite different when you have to write 200 words from a basic formula with 20 keywords, compared to writing 80,000 words from a basic formula with 20 keywords. Yes Star Wars and Harry Potter might have same basic principles (orphan, living with aunt and uncle, special powers, special connection to main antagonist). However, I'm never failed to be amused when someone says it's unoriginal or a rip off, but those same people will read article after article on their sports teams and not think it's ripped off when the articles a probably written by an intern in a coat closet switching words on a template. But simply Vader being or not being Luke's father would have made a major story diversion (IE Luke wouldn't have gone to Endor to confront his father, Vader wouldn't have turned good and killed the emperor, etc.)
But not really, because most of the time, the "content" injected into your page is a script tag, which doesn't show up in the 3D view.