Microsoft has released SuperPreview for Internet Explorer as a free trial download. SuperPreview is an upcoming feature in Expression Web 3 that lets web designers preview their web sites/pages in every major browser (even if you don't have it installed). You select the main browser you'd like to work in and then you compare your page to what it looks like in other browsers. If you have the browser installed locally, SuperPreview will use it to render the preview. If you don't have it installed locally, a web service is called that renders the page and sends it back to SuperPreview.

One of the neat parts is that you can highlight elements in your master browser and the preview shows where they should be in the other browser and where they actually are in the other browser. I'm looking forward to using SuperPreview for IE 6, 7 and 8 compatibility testing without resorting to virtual machines.

I've been adding some unit tests to a Base64 encoding library and discovered that the existing code did not properly handle some non-english characters. I traced the error to the code which converts a string into an array of bytes. I figured, "oh", boneheaded move. I was expecting that each character would be stored in a single byte and I just need to expect two bytes per character because I'm dealing with Unicode strings in .Net.

That got me a little farther but then I realized that the byte order was reversed from what I expected it to be. The letter A would convert to 0x41, 0x00 instead of what I expected which was 0x00, 0x41. Fix that and now some of the tests are passing and some are failing. 

Two hours later I realize that I had a link to this great article The Absolute Minimum Every Software Developer Absolutely, Positively Must Know About Unicode and Character Sets (No Excuses!) by Joel Spolsky.If you're having any similar issues you should read this article first.

It turns out that UTF-8, which is what Microsoft uses for most string conversion in .Net dynamically chooses how many bytes to write per character based on what's needed. The normal ASCII characters like A are encoded in a single byte and the larger characters are encoded in 2 or more bytes.

I adjusted my test cases to account for the way UTF-8 really works instead of the way I thought all unicode strings were handled and green lights across the board for the unit tests. Hope this saves someone else the time that I wasted.

The Richmond Software Craftsman Group had our monthly meeting last night and we discussed developer productivity. Lines of Code (LOC) was suggested as the common measure of productivity. I think everyone quickly agreed that LOC produced was not really a good measure of effeciency. You'll quickly end up with bloated code because the measurement says that it is preferred.

Measuring team performance seems to be easier than individual productivity and I think this is what should be measured:

1) On Time
2) On Budget
3) Product Does what was expected (This would include a measure of defects for quality).
4) Client satisfaction with what was delivered.


- On Time: Did the team estimate the project well. Steve McConnell has a great book on software estimation and a lot of it boils down to "engineers are overly optimistic even when they think they're not."

- On Budget: Almost a directly correlation to time but if you use double to resources planned to hit a target your budget it blown. Budget should be a function of work estimates and timeline.

- Product does what was expected: Did you deliver everything that you said you would? Do the features do what they are expected to do. If features are buggy they do not do what was expected. I'm thinking this is kind of like acceptable failure rate in manufacturing. NASA will pay big bucks to have a very low bug rate but Joe's flower mart down the street might accept a higher bug rate in exchange for a much lower budget. Developers should set an expected defect rate that isn't zero because it's not realistic.

- Client satisfaction: This measures a couple of things. Did you accurately capture requirements from the customer? Did you communicate what you are going to build effectively so that client expectations are set correctly? Does the client understand the expected bug rate in the finished product and how it will affect timeline and price?


I think that inside a team it can be much more difficult to measure productivity because each team member influences the others. If a hole punch machine in the factory is misaligned the rubber gasket machine may produce defective parts. The gasket machine had garbage in so it gave garbage out. One programmer building a crucial module can delay other programmers making it very difficult to measure the individual productivity. Network effects can influence the team in positive and negative ways.

Jeff Atwood has an excellent post about garbage collection in modern languages. I wish we did have a simple sqlconnection.DieYouGravySuckingPigDog(); method since I've written those exact .close() .dispose() = null lines too many times to count.

If you need to allow users to enter Html for display on your web site or application you're asking for trouble in the form of a Cross Site Scripting (XSS) attack. This attack is pretty simple. Imagine that you have a text input field and then you display the value that was input back to the user. For example, an error message might return the value the user entered. The user enters something like <script>javascript:alert('hello, from a hacker');</script> and suddenly they can control javascript coming from your server.

The first level of response is to HtmlEncode anything that is input from the user. This is what many of the built-in ASP.NET controls do for you and something that you should alway do in ASP.NET MVC.

But, when you encode everything the user enters you can't let the user create a bold tag, <b>Name</b> , which is perfectly safe. How do you allow safe html to get posted without encoding while making sure everything else is safe?

One approach taken by most bulletin boards is to adopt a special language, like BBCode, which is a limited grammar of acceptable tags. BBCode is used by our DotNetBB software right now and looks something like this:

[b]This is bold[/b]

[url=http://www.bvsoftware.com]Link to BV Software[/url]

This type of language works well but it isn't good enough in my opinion. Why should users need to learn a new language instead of html which is a standard already. Furthermore, if I'm a designer and I'm working on a nicely formatted post in DreamWeaver I have to convert it from Html to BBCode before posting.

So, I decided to build an Html sanitizer that will allow a safe subset of code to be posted while encoding everything else. I'm not the first person to try this and I looked over a lot of community code for ideas. What I found was that most of the scrubbers used Regular Expressions to match potentially dangerous scripts and then tried to remove or encode them. Here's one from Jeff Atwood of Coding Horror and here's one by Rob Conery of SubSonic Fame.

I have a love/hat relationship with regular expressions. They can be huge time savers and can present a simple solution to complex problems. They can also end up many lines long and so un-readable that you never have any hope of debugging the code. The regular expressions I found in the other scrubber code were just that. Long, complicated and not error proof at all.

Here are some examples that you can use to test for XSS attacks. When you see the huge variety of attacks possible you'll realize that a simple regular expression isn't going to cut it. If you look at Rob's Code. You'll notice that he took a different approach. His choice was to "white list" the safe tags and encode everything else.

I also took the "white list" approach but after reviewing possible attacks decided that I needed an extra step. Instead of just allowing safe tags through, I would parse the tags and rewrite the safe ones with a subset of tag attributes that are also safe or easy to check.

Step 1: Tokenize the text to find all of the Html tags. This was a simple matter of splitting the string on the "<" character. Every opening and closing tag needs to start with this.

Step 2: Walk through the tokens and do a basic parser routine. When we're not parsing a tag, HtmlEncode everything else. When we are parsing a tag, get the start tag.

Step 3: When parsing the start tag check to see if it's an allowed tag. If not, HtmlEncode it. If it is, check to see if it's a self closing tag like <br/>. If it's self closing, rewrite it in a safe manner. If not, keep reading tokens until you find the end.

Step 4: If you haven't found a valid tag that is closed just HtmlEncode everything you have and dump it.

Step 5: Rewriting tags. When you do find a valid tag (self closed or not). Parse out the name and attributes from the tag. Look over the attributes in a name/value list and only rewrite out the attributes you've selected as safe.

Step 6: Some attributes, like SRC and HREF require extra attention. They are vulnerable to javascript: and vbscript: tags in the attribute value.

I've taken all of the examples from an XSS sample site and my code has safely taken care of everything I can throw at it. I don't want to get cocky about it because someone could find an exploit tomorrow. 

Some other things to note:

I had to choose a subset of html that I thought was safe an appropriate for users to enter:b,i,u,em,strong,h1,h2,h3,h4,h5,h6,div,span,p,blockquote,ol,ul,li,address,strike,a,img,sup,sub and hr

I had to be VERY strict on the formatting I allowed for html. All tags must be lower case. All tags must be closed. All tag attributes must be wrapped in double quotes. etc. This strict xhtml formatting makes it easier to parse out the safe tags and is generally a good idea. Less sophisticated users may not understand why the Html of their Word doc didn't come out exactly as they expected but I'm okay with that.

It's not a simple problem but I think my solution is working well so far. This code will be included in the new version of DotNetBB and some other projects I'm working on.

Is this something that you need for your projects? Should we consider wrapping it into a nice library at an attractive price?

Microsoft and JQuery have partnered to release an intellisense file for JQuery in Visual Studio 2008. The Visual Web Developer Team Blog has a good post explaining how to use it.

When I follwed the instructions from the blog post I still wasn't seeing intellisense in VS with ASP.NET MVC projects. I tracked the issue down to how I was referencing the script files.

This code DOES NOT produce intellisense:

 <script src="/Content/script/jquery-1.2.6.min.js" type="text/javascript"></script>
    <% if (false)
       { %>
       <script src="/Content/script/jquery-1.2.6.min-vsdoc.js" type="text/javascript"></script>
    <%} %> 

By adding the "~" character at the beginning of the paths is DOES:

 <script src="~/Content/script/jquery-1.2.6.min.js" type="text/javascript"></script>
    <% if (false)
       { %>
       <script src="~/Content/script/jquery-1.2.6.min-vsdoc.js" type="text/javascript"></script>
    <%} %>

Go figure!

The beta of the the Model View Controller (MVC) framework for ASP.NET was released today. Get ASP.NET MVC here

The beta version is very similar to Preview Release 5 but moves the DLLs into the GAC so you don't have to copy them to your local folder if you know MVC is installed on the server. If you're not sure you can always include the DLLs and the MVC framework will work on any web host that supports the .NET 3.5 framework. SP1 is not required anymore.

 I've been experimenting with the MVC framework and I really like parts of it. The controller architecture forces you to pass every that your HTML needs to render into the ViewData collection. At first this is kind of off putting and feels like an extra step. After a while it starts to grow on you and now I really like thinking about application logic first and then only sending the bare minimum data the page needs to render correctly. I think it forces you to be a frugal developer and will lead to better performing apps and easier updates down the road.

If you haven't tried it yet now is a good time. One note, MVC is NOT going to replace WebForms (the regular way to build ASP.NET apps). Microsoft has been very clear that they will be updating and supporting both WebForms and MVC going forward.  

If you've ever needed to get a quick export of everyone who has purchased from your store in the last year this SQL script can be used to generate a comma separated text file. Make sure you change the "> date" part to be the correct starting point for your export. You'll get customers' names, address, phone and email as long as they placed an order on your store.

 Run this in SQL Management Studio and then copy and paste the results to a text file. You can open the text file in Excel as "comma separated" (CSV) to get sort the data or mail merge.

I was watching our Google Analytics traffic last week and noticed a sharp decline. My first thought was "My God, we've been blacklisted by Google or another search engine." I couldn't figure out why our traffic had dropped so dramatically. If it had dropped to zero I would have instantly thought the tracking script was at fault but instead it just dropped but kept counting with day to day variations.

I discovered that IE was reporting a script error and that was the clue to the mystery. We had added the JQuery library version 1.2.3 to our master page for some fancy image swapping. It turns out that this particular version of JQuery has an odd way of handling some click events and it conflicts with click handlers in Google Analytics. Apparently it doesn't happen all the time and it doesn't happen in all browsers so that's why we were still seeing some traffic records.

I pulled JQuery until it's patched and the stats popped back to normal the next day. Whew!