I just realized recently that you can convert between number bases in JavaScript using the built in method Object.prototype.toString() and parseInt().

Math.base = function(n, to, from) {
     return parseInt(n, from || 10).toString(to);
}

For example, to convert from decimal to hex, or hex to decimal:

// convert the decimal 10 to hex
Math.base(10, 16); // 'a'

// convert the hex 'a' to decimal
Math.base('a', 10, 16); // 10
// or
Math.base(0xA, 10); // 10

Or from hex or dec to binary:

// convert the decimal 10 to binary
Math.base(10, 2); // '1010'

// convert the hex 'a' to decimal
Math.base('a', 2, 16); // 1010

This should work for bases between 2 and 36. ie: the number of characters from 0-9a-z.

Edit: changed base() to Math.base() for better namespace

I’ve also added base conversion in PHP up to a radix of 255.

Here are some random JavaScript sinippets I wrote for bookmarks.

How they work is when you click the bookmark, the JavaScript is executed. So you can actually do a bit of programming inside a browser bookmark.

How to save JavaScript bookmarks:

1. Copy the Bookmarks JavaScript code
2. Right Click on the bookmark toolbar
3. Choose “new bookmark” or the equivalent on your browser
4. Fill in a name of choice
5. In the location/url field paste the javascript code

javascript:window.location='http://www.google.com/translate_c?u='+window.location

javascript:void(alert(eval(prompt('Calculate:'))))

javascript:str='';i=0;c=prompt('Encode in Binary:');while(n=c.charCodeAt(i)){ b = '';while(n>0) { b = (n&1 ? '1' : '0')+b; n >>= 1; } i++;str+=b+' ' } void(alert(str))

Appjet, a web based javascript application development platform, sent out an email to members today that they are closing down the service.

According to the email, they are closing their Appjet service because of the success of Etherpad - which is a real time document collaboration service that they built on Appjet. I think what they really mean is, appjet isn’t making any money and has become a liability. In that case, they just didn’t find a good way to capitalize on what they have, because it is quite awesome.

Appjet has been the only server side JavaScript development platform that offered a web based editor so you could create applications with just a connection to the internet, nothing else. There are many server side JavaScript alternatives, and many JavaScript Application development Platforms, none had the simplicity Appjet had. Nor is there a platform that encourages the sharing of libraries amongst developers like Appjet.

I have quite a few applications running on Appjet. One the fetches updates from freelance sites and posts it to a twitter account, freelance_jobs. Another pings websites and keeps a log of their uptime.Yet another acts as a proxy allowing RSS feeds to be fetched cross domain as a JSON callback. Theres even one that allows to to cheat at facebook’s wordtwist game by guessing all the possible combinations of words available for that round. There’s more then 10 of these apps I wrote and they were all hosted freely by Appjet. These were all developed in my spare time and at first I thought of them only as fun apps, but a few of them have become quite useful.

Now comes the porting of these apps to a new location. The great thing is that the appjet engine is available for download.

I’m considering installing this on my own server, or just rewriting everything in PHP.

I was reading the Qt blog’s on Webkit when I came aross this post on the chrome experiment Monster.

The experiment is written by Dean McNamee and is a JavaScript 3d rendering engine. There is a great article on it at the google code blog.

It renders a cube that turns into a sphere then a monster. All with just JavaScript, no Flash or other plugins.

I tried launching the demo (click to open in a new window) in Chrome, Safari and Firefox. Chrome was the only browser that handled the animation well. It didn’t even use more then a few MB of memory to do it. Safari climbed to about 200MB of memory and didn’t render the more intensive parts of the animation. Firefox was slow in rendering and also took up to 200MB of memory. This just shows how vastly superior Chrome’s Javascript engine (V8) is. You’d also have to take into account the implementation of the Canvas element, but the Javascript execution is what really matters.

The code for Monster isn’t released yet. Would be cool to play around with it when it is.

We recently have tried using Get Satisfaction to complement our support efforts at Fiji Web Design. It is a very interesting concept, using and open support channel that is transparent, viewable by anyone.

What GetSatisfaction offers is just the platform for providing support. The actual support is carried out in their open message boards, by whoever wants to pitch in.

Today I noticed that our site was not passing W3C xHTML1.0 standards validation. It appears that the cut and paste codes provided by GetSatisfaction are not xHTML compliant. The issue lies in the embedding of the <style> tag in the <body> section.

The solution is to either load the code in the <head> section, or a rewrite, which is what I did.

The actual snippet looks something like this:

The xHTML valid version would be:

Now the JavaScript is encapsulated in comments, so special characters like < or & will not cause validation errors. The <style> declaration is also moved to JavaScript, so the JavaScirpt writes it to the document instead.

The results is a great simple to use service while keeping your website W3C compliant.

JavaScript remoting functions are limited to the same domain. For example, XMLHttpRequest can only retrieve URLs on the same domain, and the same applies for the Flash remoting methods.

JavaScript files however, can be hosted on a different domain, and this is the basis of a well known JavaScript remoting method.

To retrieve RSS feeds, you don’t need a proxy on the same domain.
You can actually have a proxy on a different domain, but have that proxy create a JavaScript file of the RSS XML text.

That is, encapsulate the RSS XML text in a JavaScript variable or function.

That way you can include the RSS as a JavaScript file.

For example, the yahoo top stories:
http://rss.news.yahoo.com/rss/topstories

Could be proxied as:

http://json-proxy.appjet.net/?url=http://rss.news.yahoo.com/rss/topstories

And retrieved via a simple <script> tag:

<script src="http://json-proxy.appjet.net/?url=http://rss.news.yahoo.com/rss/topstories"></script>

And recieved in JavaScript as:

function callback(rss) {
// manipular rss here..
}

I’ve written a JavaScript class that will do the heavy lifting, and allow you to retrieve RSS feeds cross-domain from within JavaScript.

You can view the JavaScript source at the project page.

I’m using this JavaScript class to power the images at the top of my blog. They are retrieved from a Flickr RSS feed via JavaScript, with no server side interaction on my domain - just the JSON proxy at Appjet.

Update: 25th Sept, 2009

Appjet has closed down. The JSON/RSS proxy now resides at: http://json-proxy.jgate.de/

So the URL to proxy any webpage would be: http://json-proxy.jgate.de/?url={url}

The JavaScript RSS Proxy library has been updated to reflect this.

Taking a look at the largest websites on the com.fj domain (Fiji domains) I was surprised that 8 out of the 11 websites I looked at had security flaws that can be detected in about 10 seconds (literally) with just a browser.

These websites were Vodafone, Connect, Fiji White Pages, AFL, Fiji Sun, Air Fiji, Fiji TV, Fiji Times among others.

Those that don’t have apparent security flaws:
Airports Fiji Limited
Air Fiji
Fiji Times

Those that have apparent security flaws:

Telecom Fiji Limited
Vulnerability: XSS, XSRF
Severity: Low
Note: No user accounts to exploit

Vodafone
Vulnerability: XSS, XSRF
Severity: Critical
Note: User accounts are affected. An attacker can log in as another user with their privileges

Connect
Vulnerability: XSS, XSRF
Severity: Critical
Note: User accounts are affected. An attacker can log in as another user with their privileges

Fiji White Pages
Vulnerability: XSS
Severity: Low
Note: There are no user accounts so users are not affected

Fiji Yellow Pages
Vulnerability: XSS, Blind SQL Injection
Severity: Medium
Note: There are no user accounts so users are not affected. However, the whole database is vulnerable to reading.

Fiji Sun
Vulnerability: XSS
Severity: Low
Note: There are no user accounts so users are not affected. Attack requires social engineering.

Fiji TV
Vulnerability: XSS, XSRF, SQL Injection
Severity: Critical
Note: User accounts are affected. An attacker can log in as another user with their privileges. Direct SQL injection can retrieve all user details and possiblity administrative access to the website.

South Pacific Stock Exchange
Vulnerability: Blind SQL Injection
Severity: Critical
Note: Blind SQL injection can blind read the database, and possibly gain administrative privileges.

Now this is quite a disturbing. I only tested two basic exploits, XSS and SQL Injection. The XSRF vulnerabilities are implied when XSS is present and user accounts are present on the same domain.

No need to panic, estimates claim that around 70% of the websites on the internet are vulnerable to XSS. What amazes me however, is that these are large corporate websites, their web developers should know better.

Disclaimer: I am not disclosing any details on the vulnerabilities found on the mentioned websites except the fact that they exists. You’ll have to take my word on it.

Update: As requested by JJ, here’s a look at the FVB website:

FVB
Vulnerability: XSS, Blind SQL Injection
Severity: Critical
Note: XSS can be used to log in as another user, possible gaining administrative privileges. Blind SQL injection can blind read the database, and possibly gain administrative privileges.