Liudvikas Bukys

I’ve been using the blogbackuponline beta since last April.

It just works.

Now it’s out of beta. I recommend it. (I’d recommend it even if Techrigy didn’t offer a small incentive to share the experience.)

I participated in the public beta of BlogBackupOnline.com, and since then the service has gone live, and, for now, free. Signing up is relatively effortless, and now I have an extra up-to-date copy of my blog content without any administrative effort on my part.

They don’t back up image content yet, but they’re working on it. I haven’t tried using their restore feature to migrate from one platform to another, but it looks like that would be a lot easier than my previous export/import from Radio UserLand to Movable Type to WordPress.

Michal Zalewski identifies a new class of attacks, that he dubs Cross Site Cooking:

There are three fairly interesting flaws in how HTTP cookies were designed and later implemented in various browsers; these shortcomings make it possible (and alarmingly easy) for malicious sites to plant spoofed cookies that will be relayed by unsuspecting visitors to legitimate, third-party servers.

While a well-coded web application should be designed to resist attacks from hostile HTTP clients, these new attacks turn every browser into a hostile HTTP client, and it’s a good bet that many web applications are hanging on a pretty thin thread of “this can’t happen” assumptions, soon to be violated. Expect a large number of embarrassing vulnerability reports to ensue.

[via http://del.icio.us/emergentchaos/new.attack.class%3F]

Aaron Boodman:

Forget everything you know about creating pop-up windows. Most importantly, forget you ever knew that the javascript pseudo-protocol ever existed . Do you hear me??

Never, ever, ever use the javascript: pseudo-protocol for anything, ever ever ever ever again. Please. Pretty please. The next time I click on a hyperlink, only to have it cause an error in my browser, I am going to hunt down the author and pound them into holy oblivion.

and the correct code is as follows:

<a
href=”http://google.com/”
onclick=”window.open(this.href, ‘popupwindow’,
‘width=400,height=300,scrollbars,resizable’);
return false;”
>
Click me any way you desire, now or later, bookmarked or not. I will not attempt to control you, nor punish you, for I am a simple hyperlink; eager to do your bidding, while remaining ever helpful. I anticipating desires, but never trample possibilities. This is the way of the Link.
</a>

See also the comments for subtleties, such as pop-up forms.

[Via Jim O’Halloran]

Tim Bray explores the mess related to escaping HTML/XML information:

The policy ideally should be, I think, that all data in the Your Code block has to be known to be escaped or known to be unescaped. That is to say, you always do escaping on the data at the pointy end of the input arrows, or you never do it.

I think always-unescaped is a little better, since some of those output arrows might not be XML or HTML, but probably they all are; so always-escaped is certainly viable.

and then it gets worse, as treatment of HTML in RSS aggregators varies.

The same problem presents itself in cross-site scripting and code injection attacks. It’s the bane of macro language beginners too, whether it’s shell or troff.

Micah Dubinko, author of XForms Essentials, lists his XML.com: Ten Favorite XForms Engines

It turned out that progress on XForms technology was happening so rapidly anything in print would have been quickly outdated. An online approach seemed more sensible.

[via Slashdot]

Steve Gillmor: BitTorrent and RSS Create Disruptive Revolution.

My first reaction: a good idea.

On second thought, it’s all a question of balance and tradeoffs.

• Most RSS publishers are low volume and the cost of supporting a small number of RSS pollers is insignificant.
• Since BitTorrent’s intended application is content distribution of large files, for small sites the cost of supporting BitTorrent downloads of tiny RSS files may exceed the cost of HTTP polling.
• At some point in the subscription curve, the multitude-of-pollers model becomes too costly and the publisher wishes they had figured out a content distribution mechanism instead.
• Sites transitioning from low-traffic to high-traffic HTTP slam their foreheads in just the same way. So it’s not a new issue.
• The solution for HTTP has been to wait until you need it, then build or buy high-end content distribution. Replicate. Akamize. This works, except when it doesn’t. (Most web servers are small and are subject to the SlashDot effect.)
• There is currently no trivial smooth transition from small to large.
• A low-overhead automatic ad-hoc content distribution network would be great for both RSS and HTML distribution. Maybe BitTorrent fits that bill, maybe something else. Further research is called for.

Justin Mason: How to link without PageRank

Phil Wolff: “a klog apart: The syndicated blogosphere will reach 300 million feeds in 3 years” covers the basic architectural scaling issues related to widespread adoption of RSS. Polling a single site can’t last forever. New protocols for publish, subscribe, multicast, flood will be invented. Old protocols (NNTP) may even revive.

Jamie Zawinsky posts an interesting diatribe entitled CSS is BS.