< August 2007 >
    1 2 3 4
5 6 7 8 91011
Mon, 20 Aug 2007:

Some movies are so bad they're good. And there are none which explore this area of beyond-badness than the highschool movies. But the average highschool movie has become a complet cliche. I mean, if you've seen one you've seen 'em all. And if you've seen 'em all, you need to pick up Not Another Teen Movie. And once in a while a movie comes out which falls slightly further from the tree, I think that's SuperBad this year.

Characters: The movie sticks to my favourite combination of characters - the befuddled hero, self-confident heroine, weirdo side-kick and a couple of reverse stereotypes. The very same mix which makes me love H2G2 (Arthur, Trillian, Ford, Zaphod & Marvin), Coupling (Steve, Susan, Jeff, Patrick & Jane) or even Futurama (Fry, Leela, Bender, Prof. Farnsworth & Zoidberg).

In fact Michael Cera plays the befuddled teenager (Evan) to a T. The co-dependent pairing with Seth and the complicated issues around their separation for college brings in some funny dialogues, especially towards the end. Their chemistry is paired into the two girls they are chasing (mm... Becca). Now, add two cops spouting Star Trek & Star Wars one liners. and a nerd pretending to be 25 year old McLovin. But of all the caricatures in the movie, the the cops came out of it more real than anyone else when he says "When I was your age, I hated cops too".

Combine them all up and you've got all the laughs you want. Mindless though it is at the surface, somehow the dillemmas of Evan sprinkles a non-preachy moral editorial in between the laughs. Even the ending seemed appropriate, almost coincidental, yet not final in any way.

Watch the trailer, you just might McLuv it.

Where humor is concerned there are no standards -- no one can say what is good or bad, although you can be sure that everyone will.
                -- John Kenneth Galbraith

posted at: 04:12 | path: /movies | permalink |

I recently ran into a fairly generic XSS vector which didn't seem to be on the XSS cheatsheet. It seems to be a quirk of the way the DOM parser handles <script> tags and well, a broken JSON encoder. The vulnerability (or at least gotcha) exists when properly quoted strings are printed out inside a <script> node. A simplified exaple looks somewhat like this.

var a = "</script> <script> alert('XSS !'); </script> <script>";

For some strange reason, Firefox picks up the script closing tag in the quoted string and then proceeds to process the remaining script tags as code. Try it for yourself.

I discovered this problem inside a large/deep block of JSON. Thankfully, the php JSON encoder escapes the forward slash, but the JSON spec doesn't require that explicitly AFAIK. For instance, the standard python-json module which came with Ubuntu generates bad code to embed in a script segment (so, start using "import simplejson as json").

Quoting strings anywhere is complicated enough and if you ever need to dump stuff into a javascript segment, use a json encoder - a good one & not reinvent your own.

If I do not want others to quote me, I do not speak.
          -- Phil Wayne

posted at: 01:12 | path: /insecurity | permalink | Tags: , ,