Macaroni

Version 2.2.2 of the Yahoo! User Interface (YUI) Library is now available.

Usually this kind of update means downloading the new scripts, dropping them into your development folder, and ultimately updating the server. But since YUI is also serving the minified scripts from Yahoo! servers, downloading the release is optional, all you may have to do is replace references to “http://yui.yahooapis.com/2.2.0/” with a reference to “http://yui.yahooapis.com/2.2.2/”.

Of course, any decent IDE will do the search and replace for you, so it’s not any more work. We simply trade updating our local copies of the scripts with touching all the files that use the script. Since my team wasn’t checking in the YUI scripts, it’s actually less work, since only one of us has to do it once, and we don’t have to touch the server at all.

One handy result of the trade-off is the potential for mixing and matching versions. The 2.2.2 release is suppose to be a bug-fix, though the beta (repeat beta) DataTable saw some significant internal changes. In fact, my DataForm widget can’t use the new version (yet). But, no worries, I changed that reference back to 2.2.0 and its running, giving me breathing-space to sort out the problem. (Which I’m sure will be yet-another case of me pushing the envelope, and the envelope pushing back!)

Meanwhile … the YUI release notes are helpful but high-level. That’s not a bad thing, but if you are working closely with the library, and perhaps building your own widgets on top of YUI’s, then it can also be helpful to have a line-by-line change log. Towards that end, I’ve checked in the last two YUI releases to the Yazaar project. Having the releases under SVN means that we can obtain DIFFs between versions, and review the line by line changes. To keep the YUI archive out of the way, I tucked it under the branches folder. (Gotta love Subversion!)

Of course, I’ll be resolving my DataTable glitch today, and looking to see if Jenny Han Donnelly and company slipped in any new goodies.

Last month, Fortify Software posted a white paper describing a security exploit dubbed JavaScript Hijacking. Being a slow news month, a number of online journals trotted out “the end is near” headlines.

Of course, Ajax development groups have been quick to post responses to the “advisory”. Despite the hyperbole, engines like Dojo, GWT, and YUI are not “vulnerable”. Certain applications using Ajax engines may fit a “vulnerability profile”, and if so, there are simple and concrete steps that developers can take.

If your Ajax application exposes sensitive data via raw JSON, do this:

• Enclose JSON responses in JavaScript comment characters, and
• Strip the comments before parsing the response

Click. Done.

Like many security issues, the “vulnerability” is mainly a developer education issue.

The Dojo Toolkit is providing patches in version 0.4.3 “to inform developers of the potential risks their server-side components may be exposing them to and making it even easier to do the right thing on the client side”.

The Yahoo! User Interface (YUI) Library is now adding a specific header to each request. The server side code looks for the header and refuses to service the request if the header is absent or not valid.

For more about security Ajax applications, see

• A Note on “JavaScript Hijacking” (Dojo)
• YUI Security” and Yahoo! Developer Network - Security Best Practices
• Security for GWT Applications

Since many developers were not aware of this exploit, it is a Good Thing that a White Hat brought it to our attention before the Black Hats did. Though, I hope the next White Hat takes the high road and alerts the development group first. That way, we can have a response out the day the alert is posted, rather than a week or two later.

But, of course, if you happen to be a security consultant, a blindside brouhaha is not bad for business!

This site is being used a part of my April “Tour de Blog“.

Visit JRoller for the complete Macaroni archive.