jackfromeast

Summary

We identified a DOM Clobbering vulnerability within the Prism library's prism-autoloader plugin (version 1.29.0). This vulnerability could lead to cross-site scripting (XSS) attacks in web pages who embed Prism and allow users to inject scriptless HTML elements (e.g., an img tag with a controlled name attribute).

Note that, we have found similar issues in the other popular client-side libraries, including Webpack (CVE-2024-43788), Vite (CVE-2024-45812), and layui (CVE-2024-47075), which might be good references to this kind of vulnerability. So, in terms of the wildly adoption of Prism in the modern website, we think it is necessary to make the Prism resistant against DOM Clobbering attack.

Details

Backgrounds

Dan-Q

<?php
// half-hearted CSS minification
$css = preg_replace(
  array('/\s*(\w)\s*{\s*/','/\s*(\S*:)(\s*)([^;]*)(\s|\n)*;(\n|\s)*/','/\n/','/\s*}\s*/'), 
  array('$1{ ','$1$3;',"",'} '),
  file_get_contents('linked.css')
);

// embed as a data: uri
$base64css = rtrim(strtr(base64_encode($css), '+/', '-_'), '=');

MichaelCurrin

Set up Jekyll environment on macOS

Set p Ruby, Bundler and a project-level Jekyll on macOS Catalina and up

This guide is for macOS Catalina and is based on the Jekyll on macOS doc and my experience.

1. Install dev tools

Use the XCode CLI to install dev tools. Recommended so that you can install native extensions when installing gems.

sleepyfox

'Users hate change'

This week NN Group released a video by Jakob Nielsen in which he attempts to help designers deal with the problem of customers being resistant to their new site/product redesign. The argument goes thusly:

1. Humans naturally resist change
2. Your change is for the better
3. Customers should just get used to it and stop complaining

There's slightly more to it than that, he caveats his argument with requiring you to have of course followed their best practices on product design, and allows for a period of customers being able to elect to continue to use the old site, although he says this is obviously only a temporary solution as you don't want to support both.

fatcerberus

Monads for the Rest of Us

by Bruce Pascoe - 1 May, 2019

"A monad is just a monoid in the category of endofunctors. What's the problem?" ~James Iry[^1]

The problem... is that there are several problems.

It's been said that monads bear a dreadful curse. Once you finally understand what they are, you begin to see them everywhere--but somehow become completely incapable of explaining them to anyone else. Many tutorial writers have tried to break the Great Curse--the Web is lousy with bold attempts and half successes that attest to this--and just as many have failed. Well, I'm here to address the elephant in the room[^2] and tell you that I intend to break the Great Curse once and for all.

There are basically two ways a monad tutorial tends to go. One is a paragraph or two of minimal descriptions of one or two common monads (Haskell's Maybe in particular is very popular), followed by a lot of intimidating Haskell syntax trying to explain--precisely--how it all fits together. This is well

Rich-Harris

I've been deceiving you all. I had you believe that Svelte was a UI framework — unlike React and Vue etc, because it shifts work out of the client and into the compiler, but a framework nonetheless.

But that's not exactly accurate. In my defense, I didn't realise it myself until very recently. But with Svelte 3 around the corner, it's time to come clean about what Svelte really is.

Svelte is a language.

Specifically, Svelte is an attempt to answer a question that many people have asked, and a few have answered: what would it look like if we had a language for describing reactive user interfaces?

A few projects that have answered this question:

JonnyCBB

#### MATPLOTLIBRC FORMAT

## This is a sample matplotlib configuration file - you can find a copy
## of it on your system in
## site-packages/matplotlib/mpl-data/matplotlibrc.  If you edit it
## there, please note that it will be overwritten in your next install.
## If you want to keep a permanent local copy that will not be
## overwritten, place it in the following location:
## unix/linux:
##      $HOME/.config/matplotlib/matplotlibrc or

ericmjl

UPDATE: I have baked the ideas in this file inside a Python CLI tool called pyds-cli. Please find it here: https://github.com/ericmjl/pyds-cli

How to organize your Python data science project

Having done a number of data projects over the years, and having seen a number of them up on GitHub, I've come to see that there's a wide range in terms of how "readable" a project is. I'd like to share some practices that I have come to adopt in my projects, which I hope will bring some organization to your projects.

Disclaimer: I'm hoping nobody takes this to be "the definitive guide" to organizing a data project; rather, I hope you, the reader, find useful tips that you can adapt to your own projects.

Disclaimer 2: What I’m writing below is primarily geared towards Python language users. Some ideas may be transferable to other languages; others may not be so. Please feel free to remix whatever you see here!

Garfounkel

import time
import sys


class ProgressBarPrinter:
    def __init__(self, width, step, stream, fname):
        self.width = width
        self.block_progress = 0
        self.current_progress = 0
        self.start_time = time.time()

matpalm

#!/usr/bin/env python3

from PIL import Image
import numpy as np
import tensorflow as tf
import tensorflow_hub as hub

# smooth values from point a to point b.
STEPS = 100
pt_a = np.random.normal(size=(512))