Joe Merante's Blog

(This was written and first published elsewhere in June 2020) The example below comes from a May 2020 workshop on using CodeQL. To set up CodeQL, you import code into a database to run queries against using the CodeQL language. The results of queries can be viewed inside Visual Studio Code. More resources here . The snippet below checks for potentially unsafe input to $ in jQuery plugins. In the older version of Bootstrap examined in the workshop, an xss vulnerability existed because the library didn't check whether actual DOM elements were being passed to $ , creating an xss sink. For example, when .text() is called in code like $(options.textSrcSelector).text() , an unsafe string passed to $ could be executed by jQuery. The workshop repo suggests one better way to refactor the code. The from/where/select syntax is a little SQL-y, you import javascript to get the autocomplete goodies in VS Code, use classes and predicates to organize and reuse code. Note that = is equalit

(This was written and first published elsewhere in June 2020) A few years ago I got really into d3.js while working on some front end-heavy projects, and still love to see the awesome work shared by its community. (Observable notebooks are 😻)

(This was written and first published elsewhere in June 2020) This concept comes from a book I really enjoyed reading last year, Secure by Design . The authors suggest using a "read-once object" to represent sensitive values to avoid unintentional use or data leakage.

(Update 3/20/2024: If it ain't broke, do the classic developer thing and rebuild it! I've taken the site described below offline, and moved its posts here.) Until recently, I had no reason to build anything elaborate with a serverless architecture. Yet it's everywhere now! There's  Amplify , Netflify , JAM , SAM , lambdas , workers and more to learn about.

While updating a pdf recently, I noticed some metadata I wanted to change and a few annotations that were hidden from view but still in the file. However, the "Get Info" pane in Preview on OS X doesn't provide a metadata editor, nor does its Export function, so it seemed like a good opportunity to learn a bit more about the PDF standard and Python packages for getting the job done. Adobe Acrobat or other GUI's would've been much faster, but I'll likely need to do this programmatically again at some point like those of you who might've found this post by looking on your favorite privacy-preserving search engine for "change pdf metadata in python". So here we go. Before starting, I hopped into a new folder and created a git repository with a first commit of my original pdf in case anything went wrong. Then I ran conda create --name pdf --python=3.8.1 and conda activate pdf to set up an Anaconda virtual Environment named pdf to keep my work is

I recently attended a discussion of The Smart Enough City , which got me thinking about what "private enough" online services might mean to people. Privacy is an admittedly slippery concept and your idea of privacy may differ dramatically from mine. Privacy as "contextual integrity"  is one concept that helps address the definitional inconsistencies by focusing on information transfer . However, the scholarly literature which I have great respect for won't be particularly useful in explaining what I'm working on to my relatives at Thanksgiving dinner. A look at some everyday online activities will demonstrate how the battle to make the Internet private enough is coming from many directions. The first elephant in the room is online advertising, which is something I'm not entirely opposed to. It's just the undisclosed third party data sharing without anything that feels like meaningful opt out that’s too invasive. My views lean towards those a