Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

chromatic (983)

chromatic
  (email not shown publicly)
http://wgz.org/chromatic/

Blog Information [technorati.com] Profile for chr0matic [technorati.com]

Journal of chromatic (983)

Tuesday October 21, 2008
02:05 PM

Core Incompetence

[ #37711 ]

Experienced developers learn what their core business functions are and write whatever software they deem necessary to perform those functions extraordinarily well.... [In] choosing to fight that HTML sanitizer battle, I've earned the scars of experience. I don't have to take anybody's word for it -- I don't have to trust "libraries". I can look at the code, examine the input and output, and predict exactly what kinds of problems might arise. I have a deep and profound understanding of the risks, pitfalls, and tradeoffs of HTML sanitization.. and cross-site scripting vulnerabilities.

Jeff Atwood, Programming Is Hard, Let's Go Shopping!

It's difficult for me to imagine that any core business function of a website is "expose XSS and XSRF vulnerabilities". In my experience, only novices think "I should write my own CGI parameter handling code!" while the experts think "Too much busy work; I'll work on something that matters." In practice, that novice approach is "I'll copy this code I found somewhere else and tweak it until it looks right." That's not learning. That's sympathetic voodoo magic. "I learn better when I code it myself" is an excuse which really means "I don't want to bother learning it at all!"

A real programmer really interested in learning would have started with test cases (and there are copious test cases available for this). Forget the "scars of experience". Instead, take advice from programmers who code with their brains, not their machismo.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • He states in the comments that aside from the (allegedly) poorly written HTML Agility Pack [codeplex.com], there was really nothing available for him for .NET. If that's the case, he seems to have made a solid choice. Plus, he's released the code for others to use.

    • I think the comment by Adam Gomaa on Atwood's blog nails it, especially:

      ...I would have gone with a port of another language/platform's sanitizer, because I *guarantee* there are domain problems they've dealt with that you couldn't possibly have have thought up on your first iteration.

      Atwood so far hasn't commented on whether or not he did that, or whether or not he thinks that's a good idea in general. The comments he did make, e.g. "scars of experience", suggest that he would answer "no" to both questi

    • There's great difference between rewriting existing code to learn (or because it's the "core competence" of your project) and writing code that doesn't exist. I've only met one person (Chuck Moore) who does the former rigorously, and I'll take the advice from him that that's the best way to learn something. Jeff Atwood? Not a chance.

  • I was totally with him until, "I don't need to trust libraries." I might not trust other people's libraries for some problems... but only after *trying* to trust them. I'm not sure I could even say that sentence out loud.

    --
    rjbs
  • In my experience, only novices think "I should write my own CGI parameter handling code!" while the experts think "Too much busy work; I'll work on something that matters."

    I take exception w/ this statement since it's probably not complete. Absolutes not always being right and all. (Hi everyone!)

    For learning, anyone should write anything they can, as low or high level as their capacity allows. Write your own parser, your own number cruncher, your own implementation of IEEE floating point. It breeds

  • Atwoods first mistake was deciding converting Markdown to HTML was a core competency. Their core competency should be community construction. The second mistake is supporting all of Markdown. Since inline HTML is such a huge can of worms, you should say "We don't support that bit."
  • In one of the Stackoverflow podcast episodes, Jeff and Joel Spolsky discuss this at some length. Joel finished it off with a story about why the Excel team at Microsoft vigorously excised any dependencies to the point that they even had their own compiler. That, however, was back in the day when programmers had to seriously consider memory footprint, loading sequence, paging, and other things the most of us probably don't even know how to deal with anymore.

    I've been going through all of the Stackoverflow po

  • I stopped following Spolsky a while back. And quite honestly, the longer Atwood hangs around Spolsky, the closer I come to not paying any attention to him either. Which is a shame, he used to have some good insights.
    • No, he never did. Jeff’s personal brand has always been about writing at an accessible level on a consistent schedule. He did not change much at all over time. If you think he has, it’s probably you changing and outgrowing him.