Monthly Archives: May 2010

Lovin’ the WordPress plugin ecosystem

I’m a sucker for simple things and in my book, WordPress (the open source software) is a great example of a simple yet powerful solution for publishing on the web. The last few days I experienced their plugin-ecosystem to be just as simple and powerful.

If you have a plugin to share and you:

  1. register on
  2. fill out a form to submit your plugin for inclusion in their repository
  3. after confirmation upload your code (together with a structured readme-file) via svn

Then boom, automatically;

  • plugin pages (for description, installation, faq, changelog, …) are created and populated with information from the readme and base php-file
  • a zip-file is created containing your stable version
  • your plugin is listed on the “new plugins” page

Before you know it, you’ve got a bunch of real users (wp-youtube-lyte was downloaded 128 times in 2 days) who can rate your plugin and provide you with feedback. And every time you upload a new stable version via svn, a new zip-file is created and your users will get a notification in their wp-admin pages, allowing them to upgrade by simply clicking that upgrade link. Don’t you love it when a plan comes together?

But enough raving already, got to go create that admin-page for my plugin now, as requested by a user. I’m a sucker for real users!

As found on the web (May 19th)

generic (feed #49)
generic (feed #49)
generic (feed #49)
frank posted The Tell-Tale Beat.
blog (feed #46)
frank published Web API security basics.
generic (feed #49)
generic (feed #49)
blog (feed #46)
generic (feed #49)
generic (feed #49)

Lite YouTube Embeds in WordPress

This 3rd episode in the “High performance YouTube embeds” series brings you yet another way to use LYTE instead of normal YouTube embeds: wp-youtube-lyte. This WordPress-plugin will automatically replace YouTube-links that start with “httpv://” with Lite YouTube Embeds, thereby significantly reducing download size & rendering time.

wp-youtube-lyte plays nice with the great “Smart Youtube” plugin, in which case it will take care of the default embeds (httpv), while Smart Youtube will parse the other types (httpvh, httpvhd, httpvp, …).

You can download the plugin from

A quick demo maybe, to finish things off? Owen Pallett performing “Lewis takes action” live in the KCRW studios:

Owen Pallett - Lewis Takes Action
Watch this video on YouTube.

Web API security basics

When I proposed the lead developer of an open source web application to enable JSONP for the API, the developer replied:

The whole thing sounds easy enough to implement, but I have some doubts that it will open the project to XSS attack of some sort. Don’t really know why, though. :-)

We mailed a bit more about the risks of cross site scripting and then he wrote the following:

Sadly we can have malicious JS problems since cleaning up of incoming data is optional.

For an unrelated project I asked about authentication for a write-operation in the API and the reply was:

Authentication is not in the API yet. Currently you must include a session cookie along with API requests to perform a write, but the cookie itself is the one you get from logging in [in the web front end] as you would normally.

Which sounds a lot like “we support cross site request forgery out of the box” …

As with normal web applications, web API-security is an important (but complex) issue, which is not always easy to grasp. Based on a basic understanding of things, the following guidelines can go a long way into securing things both on the API-side and the client:

  1. Know who you’re dealing with; disable API-access for your users by default (allowing them to opt-in), provide bullet-proof authentication and session management in the API and throw in a synchronizer token to prevent cross site request forgery
  2. Never trust input from users or external systems; decide what to trust and filter out everything that’s not in that white-list (SQL-code, server-side code, javascript, and even html and css)

If you apply these basic principles to JSONP (make sure to filter the callback-parameter and set the correct content-type in your response) you’ll have a whole lot less to worry about!

More info:

As found on the web (May 12th)

generic (feed #49)
generic (feed #49)
generic (feed #49)
facebook (feed #40)
frank Frank Met zijn gezicht in een autoruit en in het ziekenhuis … auw..
generic (feed #49)
blog (feed #46)
generic (feed #49)
generic (feed #49)

Over hoe ik aan den lijve ondervond dat ge altijd een fietshelm moet dragen

Op de fiets door Brussel, is dat niet gevaarlijk?” vroeg men mij soms. “Nee” zei ik dan altijd een beetje stoer, “goed afgestelde remmen, een beetje geconcentreerd rijden en dan valt dat goed mee”.

Tot gisterenavond een voetganger met typisch Brusselse doodsverachting de straat zonder boe of ba overstak, een auto de remmen voor haar moest dichtgooien en ik hetzelfde deed om niet achterop die monovolume te knallen. Remmen dicht, de lucht in, door de achterruit van die vervloekte Opel het Schaarbeekse ziekenhuis binnengevlogen.

Op de spoed moesten ze 3 sneeën op m’n linkerarm dichtnaaien en hebben ze paar mooie zwart/wit foto’s genomen om daar -na lang wachten- op te zien dat er niets gebroken of gebarsten was in pols of nek, waarop ik goed bevonden werd om me terug in het verkeer te begeven, voorlopig wel zonder vouwfiets.

“Het valt mee, het had veel erger kunnen zijn” en “Ge hebt geluk gehad dat ge een helm ophad Mijnheer” zeiden Mario en Pieter (de vriendelijke ambulanciers), verpleegsters en dokters heel de avond lang. Absoluut! Ik en mijn Giro Flak fietshelm, wij zijn vanaf nu helemaal onafscheidelijk. Hopen dat Veerle dat geen belemmering vindt, zo in bed …