from __future__ import *

MochiKit 1.4 was released today: download, announcement.

I don't often post about open jobs at Mochi Media on my blog, but it seems that most of the awesome people we have here found out about Mochi Media from me so I might as well ;)

Web development at Mochi Media happens primarily in Python and Pylons with Genshi templates. We're currently using mostly MochiKit for the JavaScript heavy lifting and we talk to all of our backend services (which are either Python or Erlang) via JSON. We're using a bunch of other cool technologies such as memcached, nginx, PostgreSQL, etc. We also often contribute a lot of what we do back to the open source community (e.g. MochiKit, MochiWeb, simplejson, etc.) and would love adding some more team members that were interested in helping out with our open source efforts too! We don't require experience with all of these frameworks and tools, we just need smart people that have a really solid understanding of web development in Python.

Mochi Media runs MochiAds, a monetization platform for Flash games, and MochiBot, an analytics service for Flash content... so we've got tons and tons of data to work with and very interesting scale problems to address. Our primary service, MochiAds, is a monetization platform for Flash games... so part of the responsibilities of being a Mochi employee is to approve all the latest in Flash games for paid advertisements from our network ;) There's even an internal competition to see who approves the most games each week! You can check some of them out at http://www.mochiads.com/games/

Mochi Media was founded in 2005 by Jameson Hsu and myself, and we're backed by Accel Partners and Shasta Ventures. We've got a great team and are always looking to add the best people we can find. If you kick ass at Python and love building cool apps for the web, talk to us!

This position is full-time and on-site in San Francisco, CA. We're very easily accessible by BART and Caltrain in SOMA, at 2nd st. and Mission st. More evidence that Mochi Media is a cool place to work can be found on the mochimedia Flickr photostream: http://flickr.com/photos/mochimedia

More info and application instructions are here: http://www.mochimedia.com/about/careers/#webengineer

Recently, Fortify Software has claimed that there is a pervasive and critical vulnerability in Web 2.0 with their JavaScript Hijacking paper. The way they wrote the paper is extremely misleading and was likely constructed this way on purpose to garner press and business for their company.

The first egregious dishonesty in their paper is that it analyzes client-side Ajax frameworks. This is not where the vulnerability is, nor where it's fixed. The service's intended client-side JavaScript code is not even executed during ANY PART of the demonstrated exploit! However, client-side Ajax frameworks are a hot topic, so what the hell, let's blame them.

The second is that they do not enumerate all of the preconditions required for the exploit. The client must support JavaScript setters. The only browser that I've found that supports these are Firefox. Internet Explorer 6, Safari, and Opera are NOT VULNERABLE to the specific exploit described in the paper. The paper claims that "all of the examples in the paper could be adapted to work under Internet Explorer too". Oh yeah? Prove it.

And MOST importantly the exploit is only applicable to JSON that also happens to be valid JavaScript code. The only type of JSON that is valid JavaScript code without parentheses is a JavaScript array (or bare primitives, but those are not interesting or exploitable). That's right, the simplest fix is to always make sure you send an object on the outside, not an array.

Exploitable:

[{"object": "inside an array"}]

NOT Exploitable:

{"object": "not inside an array"}

Also NOT Exploitable:

{"result": [{"object": "inside an array"}]}

The simplest solution is to just change the JSON RFC to include a strong recommendation that only objects should be allowed as an envelope. Server-side frameworks should give error or provide warning when an array is serialized without a containing object. I notified them of this before the paper was published, but they ignored my suggestion and instead went for the more complicated suggestion of trying to add backwards-incompatible sludge to JSON.

I've crafted a little example that shows which browser you're using and the attacks that were successful. The Fortify exploit is "Array/Object JSON vulnerable". The two other tests are for JSON documents not contained by an array. The Fortify exploit is the only one that succeeds, and it only succeeds in Firefox.

Ryan Wilcox has recently written an excellent article for Linux Journal: MochiKit by Example. Check it out!

http://www.linuxjournal.com/article/9552

While I didn't personally attend Freedel 06, I recently came across the slides for Anant Narayanan's Web Application Development talk. Specifically it covers JavaScript web application development with MochiKit and Dojo, and it's split into four sets of slides. I've just had a chance to give them a look and they're quite good.

The slides are all done with S5, which is what I used for the MochiKit Intro talk I gave a few months ago.

Part 1 - JavaScript:

A general overview of JavaScript and AJAX

Part 2 - MochiKit:

An overview of what MochiKit is and why you'd want to use it. Lots of pointers to cool features such as DOM and Signal.

Part 3 - Dojo:

Covers a bunch of the great functionality that Dojo has that isn't available anywhere else such as widgets, layout, animation, and offline storage.

Part 4 - Case Studies:

A few very short case studies of some JavaScript web applications.

The slides from my MochiKit Intro talk at The Ajax Experience 2006 are up:

http://svn.mochikit.com/presentations/2006/ajax_experience/slides.html

They were built with a slightly modified s5 (so that I could toggle an interactive mode with ctrl-i to demonstrate MochiKit inline without advancing the slides), using the docutils rst2s5 tool.

The reStructuredText source, build scripts, etc. are all in the repository here:

http://svn.mochikit.com/presentations/2006/ajax_experience/

MochiKit 1.3.1 is now available [download].

This is a bug fix release of MochiKit 1.3, which includes some minor documentation improvements and the following important fixes:

• Fix sendXMLHttpRequest sendContent regression
• Internet Explorer fix in MochiKit.Logging (printfire exception)
• Internet Explorer XMLHttpRequest object leak fixed in MochiKit.Async

MochiKit 1.3 "warp zone" is now available [download, release announcement].

The most significant feature for this release is MochiKit.Signal, an excellent system for handling events cross-browser.

We've also spiffed up some of the examples and added a few new ones, and as per usual we've combed over our extensive documentation and made a bunch of improvements.

For all of you ajaxians out there, The Ajax Experience is coming up next month! From the roster it looks like it's going to be quite the conference. There are representatives speaking for quite a few of the ajax-related frameworks and libraries (including my Intro to MochiKit), as well as the people responsible for JavaScript, JSON, and just about everything else a "web 2.0" developer should be intimately familiar with.

The Ajax Experience runs from May 10th-12th at the Westin St. Francis right here in rainy San Francisco.

For those of you not able to attend, I will definitely be making all of my presentation materials available after the talk, but I would highly recommend showing up if you can. In my experience, the talks are the least interesting part of any conference.

MochiKit 1.2 "the ocho" is now available [download, release announcement].

This release is the calm before the storm, it contains mostly bug fixes and minor functionality improvements -- but big things are coming soon. We have a signal/slot dispatch mechanism, a script.aculo.us port, a new testing system, non-browser compatibility (SpiderMonkey, KJS, SpiderMonkey, Rhino) and a normalized event object all in the works which will be hitting the trunk soon. For more information about the new features check out the mailing list and the trac instance.