Johannes Schlüter

Two month have passed since the close of the Sun-MySQL-Deal, two months of uncertainty whether it's a good idea to join Sun or not but after consulting my ElePHPant, who read the 18 pages of the contract and related documents (including MySQL termination agreement, data privacy agreement, ...), I'm quite optimistic and look ahead to a sunny future. Therefore I'll be a true Sun employee as of tomorrow, May 1st.

Der xenjo bemitleidet mich - das finde ich nett. Er erinnert uns auch daran, dass Java für alles mögliche gedacht wurde, wer mehr will: James Gosling, mit dem ich ja im Januar zu Mittag war, hat das letztens auf Video kommentiert.

So genug der Werbung für den Arbeitgeber.

For a university project I have to develop a web based application using Java Enterprise Edition which will be based on Apache Tomcat. Afterdoing some initial setup on my development machine I did some simple tests to see whether everything works. So my first JSP file looked something like this:

<html>
<body>
<%
out.println(request.getParameter("foo"));
%>
</body>
</html>

Coming from web security I knew this being a XSS security problem since the user data is directly given to the output stream. Of course this is simple test code but as a self proclaqimed web security expert I havbe to think about such issues before even starting with implementation of the real app - even though the real app is just for university. So I browsed through the JEE documentation to find some method to encode HTML output so I asked a few friends with more Java experience and the only solution I found was using Apache Commons' org.apache.commons.lang.StringEscapeUtils which is no part of the JEE framework, a framework which was created with web apps in mind. How can that be? Are JSP based applications supposed to be unsafe? - And people say PHP was unsafe, which really was made for "solving the web problem" and offers all the things you need in it's core API.

After nearly a year it was time again: The Munich Fire Fighters just visited our house. I couldn't see why but it was a full fire brigade with 4 trucks and fire fighters wearing full protection and breathing masks. Rumors say it was the third floor, again.

The PHP TestFest was mentioned on Planet PHP multiple times before, so let's make it one more: Pierre and me are currently working on organizing a TestFest event at Munich. So we are looking for feedback from folks somewhere in the Munich area (or even all of southern Germany) so we know how many people to expect and then set a date. The requirement is mainly having experience with PHP. Being able to read C code might help here and there but is no requirement - it's way more important to be interested in PHP. So if you're interested in meeting core devs and participating in the TestFest and possibly win a few nice prizes please take a look at the TestFest page to get more information and leave a note to me at johannes on php.net so I can do my planning.

Just a short note: The deadline for applying to GSoC has been extended by Google till April 7th! So we hope to get a few more great proposals! So what's a great proposal? It's a good idea (either from our ideas page or some own idea) Being creative and having an own idea which is acceptable might look harder on first sight as you have to come up with an idea, discuss it beforehand to see whether it's acceptable and maybe fine-tune it then before wasting too much time but applying for an idea from our ideas page means that there are other candidates who want to do the same which therefore means you have to show us why you are the perfect candidate for that task and are better than others.

So please contact to us (see ideas page) if you want to discuss your ideas and apply!

Read More