When to use explicit string or from a constant string - string

In terms of strings I understand the need to have strings am going to reuse overname wrapped away somewhere in an XML file or configuration section for strings such as Company Name.
The problem am having with this is where to draw the line on using configuratioh or locally expressed strings?
What decides whether to have the string content wrapped away in a configuration file or to just have the string assigned there and then in a method?
Where am corporate branding a site then yes any corporate aspect strings I will put in a configuration file. Other aspects such as file locations etc will also go in a configuration file.
However, I have found myself discussing with others when I do this as oppose to having an explicit string defined within a method.
Do you have certain criteria that define when to use strings from a configuration section as opposed to being explicitly defined in a method?

Use configuration when you need to be able to change functionality without redeploying/recompiling.
If your string is reused within your application but the functionality involved is not something you want to be configurable, use a constant.

Related

Storing and retrieving files in Blockly Web

I want to use Blockly to do some calculations, and then generate text files (as opposed to exporting code to JavaScript, Python, PHP, etc.)
I can’t see an obvious way to create my own blocks to do this in Blockly, so using AppInventor (Version: nb168), I got storing and retrieving files to work, in a crude test app on my Android tablet.
In AppInventor/Designer mode, clicking Storage/File creates a “Non-visible component for storing and retrieving files. Use this component to write or read files on your device.”
Then, in AppInventor/Blocks mode, clicking the “File1” icon gives access to 7 “file type blocks”, e.g. AppendToFile, Delete, ReadFrom, SaveFile, etc.
Is it possible to create similar “file type blocks” to use in Blockly Web?
I have limited programming knowledge, so would appreciate simple answers, please.
Thanks, Pete.
Andrew N Marshall from Google/Blockly has told me this:
"This is absolutely possible ...as long as you willing to work within the browser's security restrictions. The resulting files will be need to be manually "downloaded" one at a time, rather than written directly to the user's file system.
... I would start understanding what JavaScript functions are available to you. Attempt to construct a string and save it via a download dialog...
That means the "file" contents are really just a string in memory, a JavaScript variable. We have lots of "Text" blocks that can do a variety of operations on strings. If those are enough, you'll only need one new block to identify the string variable and initiate the download process.
Otherwise, you'll need to think about what blocks you want, and how they operate. They may operate on a specific variable in the JavaScript VM, not necessary exposed as a variable to Blockly.
Either way, you'll need to learn how to create a block and a Blockly app. We have a code lab that will walk you through all the steps. You'll learn how each block generates a string of code, and in your case, that code will be related to the download code I mentioned earlier."
So I'll press on - I just wanted to be sure my goal is actually achievable before I started.
Thanks, Pete.

Changing multiple Target Paths for multiple Reference Components

I need to change the target path for each reference component in a page and have been doing it manually. There are about 1000 of these and it's taking forever. Is there a way to replace a certain part of all the Target Paths at once? Essentially, I just need to replace a part in the string i.e. "/us_ck" with "ca_ck."
You can use the Bulk Editor, if you turn on the import feature for it. You could also use the CQ Groovy Console, and write a Groovy script that makes that change for you. This is probably the better way to go.

CDI injection of string values from XML / deployment time specification of values

In Spring it is possible to define string values (eg: server names, user names, passwords etc.) in an application context XML file. These can be modified per deployment (eg: testing, production etc). Can I do the same in CDI? If not, what is the accepted pattern for handling the deployment time specification of values?
You would need to create a portable extension to do that, there isn't anything out of the box for it.

Javascript override Request.Form("foo") for security (XSS)

I've got some source code that has some cross site scripting vulnerabilities in it. There is no input validation that happens when the browser sends data over to the server which is executing server-side Javascript and classic ASP (IIS 7.0).
My question is, is there a way to override the Request.Form("foo") object/method so that I can call a sanitization function too and get rid of prohibited JS/HTML? I don't want to do a find and replace on every single file everywhere Request.Form is called. I was hoping for something more elegant.
Any suggestions are appreciated.
I don't think you can change Request.Form members.
What you can do, as a partial solution, is to create a code that will run first on every page (for example, using an include directive) which loops over Request.Form, Request.QueryString etc., and if it finds suspected code, it terminates the code execution (Response.End). This solution is partial because it doesn't really sanitize input, it just drops execution when it finds suspected text.
Another option: Create an array, parallel to Request.Form. Populate this array with the same members as in Request.Form, but this time sanitized. Then, quickly do a Find-and-Replace over your whole code base, and change Request.Form to your custom array variable.
There is a way to replace the whole Request object with another COM object but its an insane solution and it would still require that all ASP files that use Form contain a common top include file. Its not possible to replace the Request object or one of its members globally at the application level.
The correct solution to the problem, your statement "don't want to do a find and replace on every single file everywhere" notwithstanding, is to perform such global replace.
Despite the number of .asp files that exist the cost is no more than knocking up a simple program to open each ASP file in a folder tree, adding an include line and replacing Request.Form.

Do you HtmlEncode during input or output?

When do you call Microsoft.Security.Application.AntiXss.HtmlEncode? Do you do it when the user submits the information or do you do when you're displaying the information?
How about for basic stuff like First Name, Last Name, City, State, Zip?
You do it when you are displaying the information. Preserve the original as it was entered, convert it for display on a web page. Let's say you were displaying it in some other way, like exporting it into Excel. In that case, you'd want to export the preserved original.
Encode every single string.
You should only encode or escape your data at the last possible moment, whether that's directly before you put it in the database, or display it on the screen. If you encode too soon, you run the risk of accidentally double encoding (you'll often see & on newbies' websites - myself included).
If you do want to encode sooner than that, then take measures to avoid the double encoding. Joel wrote an article about good uses for hungarian notation, where he advocated use of prefixes to determine what is stored in the variable. eg: "us" for unsafe string, "ss" for safe string.
usFirstName = getUserInput('firstName')
ssFirstName = cleanString(usFirstName);
Also note that it doesn't matter what the type of information is (city, zip code, etc) - leaving any of these unchecked is asking for trouble.
It depends on your situation. Where I work, for years the company did no HTML encoding, so when we started doing it, it would have been almost impossible to find every location within the system that user input could be displayed on the page.
Instead we chose to sanitize input on its way into the system since there were fewer input points than output points. We sanitize immediately before inputting data into the DB, although we don't use Microsoft's AntiXss library, we use a set of homebrew methods that whitelist ranges of HTML tags and characters depending on the type of input.
If you're designing the system from scratch, or you have a system that is small (or managed well) enough to encode output, follow Corey's suggestion. It's definitely the better way to do it.
Encoding is not a property of the data, it is a property of the transport mechanism. Therefore you should unencode data when you receive it, and encode it appropriately before transmission. The transport mechanism determines what sort of encoding is necessary.
This principle holds true whether your transport mechanism is HTML, HTTP, smoke signals, etc. The trick is knowing how to do the types of encoding manually, and when various frameworks do the steps for you automagically. For instance, ASP.NET will encode data assigned to a System.Web.UI.WebControls.Button's Text, but not text assigned to a System.Web.UI.WebControls.Literal's Text. jQuery will encode content you set with .innerText(), but not content you set with .innerHtml().

Resources