Nicolas Bize

I was reading through John Resig’s code recently and stumbled upon this comment:

“@Justin: I don’t think there’s a reasonable way to actually assign a name to the classes, which is unfortunate.”

The problem at stake: There are two ways to define a class in Javascript:

1. var myclass = function(){...}
2. function myclass(){...}

Those two methods are very different:

1. creates an anonymous function and assigns it to the variable myclass
2. declares the function named myclass

By definition, “you cannot change the name of a function, this property is read-only.”. Once one has started using an anonymous function to create a class, the class name can never be changed.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

var Person = Class.extend({
  init: function(isDancing){
    this.dancing = isDancing;
  },
  dance: function(){
    return this.dancing;
  }
});
 
var Ninja = Person.extend({
  init: function(){
    this._super( false );
  },
  dance: function(){
    // Call the inherited version of dance()
    return this._super();
  },
  swingSword: function(){
    return true;
  }
});
 
var p = new Person(true); 
var n = new Ninja();

As you can see, both class names are Class:

1
2

p.constructor.name; // 'Class'
n.constructor.name; // 'Class'

This can become ennoying when debugging large projects that heavily use anonymous functions.

By playing with the language’s inheritance concepts, and dynamic function naming, I built a tiny library that allowed the following:

• Inheritance support (subclass methods can override / refer to their base methods)
• Proper names for classes
• Basic event management

The code is released under the MIT licence. It’ll be useful for building games or other object-oriented programs.

• Project home and docs
• Jasmine test bench
• Source code

This week I was chasing a javascript bug, which ended up in the following lines:

1
2
3
4
5
6
7
8
9
10
11
12
13

...
renderer: function(layer, text){
    var tag = node = Ext.apply({
        color: '#FCFCFC',
        background: '#666666'
    }, layer);
    tag.text = tag.text  text;
    if(node.disabled){
        tag.style = "color: #CCC !important";
    }
    return tag;
},
...

Can you spot the issue?

This line mixes declarations and assignments:

1

var tag = node = Ext.apply({...})

The author thought they were initializing two local vars tag and node. Unfortunately, Javascript is a bit surprising here.

Take the following example:

1
2
3
4
5
6

function test(){
    var a = b = 2;
    alert(a, b);
}
test();
alert(b);

• Javascript starts by evaluating b = 2. This is an assignment of the value 2 to the variable b.
• Because b does not exist, Javascript will actually create a brand new global variable b, and attach it to the current context, in this case window. This is usually something you don’t want to do, and it made bug finding much trickier.
• The rest of the expression hides the problem. The assignment returns the value that was just assigned, so the expression var a = b = 2 now becomes var a = 2. This correctly creates a local variable a containing the value 2, hiding the damage it has created with b in the global scope.

Note that strict mode fixes this and throws a ReferenceError exception.

Today I had a pretty big change made up from several SVN revisions:

1

svn diff -r 23284:23747 -x -b > ~/tmp/code.patch

When trying to push those, Crucible complained:

_Error adding patch: Unrecognised diff format. Expected diff hunk descriptor but found:_

Seems this is a known issue that’s been alive for more than 2 yrs. The issue comes from the fact that the SVN diff command mixes code changes with metadata changes. There’s a tool filterdiff that can easily clean it up.

1
2

brew install patchutils
filterdiff --clean code.patch > clean.patch

I was so caught up with different projects, work, family, the move to the US that I hadn’t touched that project for almost 9 months. I’m happy to see that the project has gained more than 1.1K stars on Github and been useful for others.

Latest changes in 2.0:

• More flexible responsive design
• Full support for Bootstrap 3
• New home with a showcase, tutorials, a documentation full of examples
• A bunch of fixes and improvements.

Drop me a line if you use it in your bootstrap forms!

MagicSuggest 2.0.0:

• Homepage
• Demo
• Documentation
• Tutorial
• Licence

Looks like Chrome Dev Tools now provide a nice copy utility to put anything into the clipboard. For ex, to retrieve full json objects:

1

copy(JSON.stringify(obj))

It is now 2014. WEP keys can be broken in 20 secs to a few minutes. There are still too many vulnerable targets out there. We should ban WEP before it does too much damage…

Finding WEP targets to sniff and crack is too easy:

1
2
3
4
5

$ airport en0 scan grep WEP
wagamama 6c:f3:7f:56:71:d0 -85 36 N GB WEP
wBALHRT5 00:0b:86:e6:4a:22 -74 11 N GB WEP
wBALHRT5 00:0b:86:dc:1f:01 -78 13 N -- WEP
wBALHRT5 00:0b:86:dc:1f:11 -85 36 N GB WEP

Ouch…

I’m currently sitting in terminal 5 of the Heathrow Airport waiting for my corresponding flight. They are limiting 30 minutes of free wifi. One can usually circumvent such limits by spoofing their mac address.

For Mac/Linux:

• ifconfig and find the active network interface (usually en0).
• Note the mac address somewhere to revert back once the operation is complete.

1
2
3

sudo ifconfig en0 ether [random_mac_address]
sudo ifconfig en0 down
sudo ifconfig en0 up

For Win7/Win8, it seems that Microsoft forces to use one of those mac addresses: X2-XX-XX-XX-XX-XX X6-XX-XX-XX-XX-XX XA-XX-XX-XX-XX-XX XE-XX-XX-XX-XX-XX. Looks like somnething like this tool can do the job.

Windows 7 at its core has a security door that allows you to log into any machine you have physical access to. While in the lock screen (winlogon.exe), the accessibility shortcuts are still available (try hitting left_alt + left_shift + print_scr). When those shortcuts are triggered, they are actually handled by a different binary sethc.exe. You may have already encountered that process when you press on a key for too long (sticky-key dialog popup). The security flaw comes from the fact that winlogon.exe will execute that file no matter what it actually contains. By replacing that file with a command prompt, the login screen will trigger the prompt when an a11y shortcut gets triggered:

• Reset the computer, hit F8 for boot options and select “Repair your computer”
• Start a Command Prompt
• Make a backup of sethc.exe:

move c:\windows\system32\sethc.exe c:\windows\system32\sethc.exe.bck

• Copy your cmd prompt:

copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

• Restart computer
• At login screen, trigger the sticky keys helper (ie. sethc.exe) by hitting shift 5 times
• With the new prompt, change the password: net user [username] [pasword]
• Restore the original sethc.exe file once you are done.

I’ve become frustrated with Ruby’s syntax for hashes.

1
2
3
4

hash = {:foo => 'bar'} # not a fan
=> {:foo=>"bar"}
hash[:foo]
=> "bar"

Here’s a (non-recommended) way to make it look better by extending the Hash class directly:

1
2
3
4
5
6
7

class Hash
  def method_missing(m)
    k = m.to_sym
    return self[k] if self.has_key? k
    super
  end
end

This allows the following syntax:

1
2
3
4

hash = {foo: 'bar'}
=> {:foo=>"bar"}
hash.foo
=> "bar"

Phones have become our most critical point of failure. I use my phone for everything, from the mundane to the most sensitive. I easily forget how much of my life it can unlock. A simple 4-digit pin, easily spotted from prying eyes, can provide everything to whomever has physical access. My email accounts are just a click away, providing means to reset passwords to everything. My phone is also where my dual auth goes to. It is quite concerning to me that phones are becoming such a security liability.