Xomino

Domino with the new improved X

Arguably the most dangerous thing you could ever do in XPages – let other people use your eval() in their SSJS

Posted by MarkyRoden on June 18, 2013

In this article I will discuss the power of the JavaScript method eval() and demonstrate how your inappropriate usage of such could bring down your entire organization – yeah it is THAT dangerous….

Introduction

In JavaScript the eval() method has long been known as extremely powerful and also extremely dangerous. It turns a string into an executable piece of JavaScript code.

It can turn string  into JSON arrays:

var str = '[{marky: "genius"}, {brad: "blog monster"}]'
eval(str)

But it can also lead to more sinister things like XSS cross scripting attacks and other nasties –
http://stackoverflow.com/questions/86513/why-is-using-the-javascript-eval-function-a-bad-idea

Well guess what – you can also use eval() in SSJS – yaaaaaaaaay

No – Boo ! Big fat Boo and it should only be allowed in specially controlled circumstances – it can only hurt innocent developers who didn’t realize the risks or hurt innocent users who do not understand the responsibility which comes with the power.

But this would be a really cool capability

If you were able to give your users the ability to pass through some SSJS through the XPages web interface so that they could create some custom reports without having to add code to the database – that would be really nice of you, very flexible and kinda cool.

Let the user type in their own SSJS through a field on the form and then eval() the code executing it on the back end….NICE

And now you can see where this is going – suppose you either have:

  • A complete dufus working at your company 
  • An extremely smart and well trained disgruntled employee

You are in for a whole world of hurt.

Who does eval() run as?

The Signer of the XPage – which means in many corporate environments that is the signer id which has the ability to run unrestricted agents on the server – so in no time at all anyone could…and it would take most of us less than an hour to write this code….

  • Go to the catalog
  • Get every database
  • Get every document in every database and download the contents
  • Delete every document in every database
  • Delete NAB users
  • Replicate these changes out to every server in the environment
  • Mess with the server settings

Yeah but Marky we can all do that anyway so why the big deal

Yes I know you have the signer id or access to insert malicious code into your own environment – but your users don’t. Let me rephrase that – they had better not otherwise your administrators need beating with sharp sticks.

The risk in reality is people hurting themselves – writing code in the browser and then evaluating it on the server – is not:

  • Developing in in a dev environment
  • Thoroughly testing it in a secure test environment
  • Rolling it out to production in a controlled and pre-planned manner

No – it is giving the power of god to your users – and frankly, some of them are idiots…

Because the code would run as the signer it also gives users the potential to access areas of the server they would not otherwise have access to – databases, readers fields etc – that is also not good. And with this they have the power to cover their tracks as well – cos well it was clearly the signer who made the changes not them.

Can we do anything to protect ourselves?

Probably……

First – don’t let un-trusted, untested code into your environment – you wouldn’t let a developer do it, why let a non-developer do it ?!

Then maybe, do code reviews and do not allow code to be run unless reviewed, locked and approved.

Conclusion

This article is intentionally alarmist because I do not want to underestimate the potential risks involved. As I said in reality you are unlikely to cause any more trouble to stupid users than them hurting themselves.

eval() is used judiciously and in a well controlled manner is extremely powerful and allows developers the ability to do things otherwise impossible.

With using eval() comes the need for a complete understanding of the risks evolved. Used incorrectly it could be used to destroy your environment in a manner very few other code snippets are able to.

Posted in JavaScript, XPages | 5 Comments »

EXTJS in XPages #12 – Counting categories with Grouped columns

Posted by MarkyRoden on June 18, 2013

In this article I will demonstrate how grouping can be added to the EXTJS grid within your XPage and how the number of rows within that group can be totaled and displayed to the user.

EXTJS in XPages series

Here are links to all of the previous articles in this series

Demonstration

The EXTJS in XPages demonstration database can be found at 
http://demo.xomino.com/xomino/Extjs.nsf/xGridGrouped.xsp

Download

The sample database that will accompany this series is  available from the menu in the live demo database from this link - 
http://demo.xomino.com/xomino/Extjs.nsf

Introduction

“Categorization” is something we are used to in the world of Domino Views and we can also create a pseudo total of the categorized columns by totaling an adjacent column. This is functional but is hardly aesthetically pleasing.

Grouping is easily achieved with an EXTJS grid and as we will see it is also dynamic and will re-total on filtering as well

Using the ‘Ext.grid.feature.Grouping’ feature we are easily able to create and manipulate a grid which looks like this (grouped by state)

tot1

How does it work?

We do not have to add much to our code to include the grouping feature. We first create a new variable inside of the createGrid() function representing the new feature.

var groupingFeature = Ext.create('Ext.grid.feature.Grouping',{
	ftype: 'groupingsummary',
	id: 'groupingFeature',
	groupHeaderTpl: [
		'{name:this.formatName} ({rows.length})', 
		{
		//This is used to display "None" if there is a blank category
		formatName: function(name) {
			var sName = (name == "") ? "None ": name;
			return sName;
		}
	}],
	startCollapsed: false
});

There are a few parameters to discuss in this code block but for the most part I think the code is self explanatory.

The groupHeaderTpl is the paramater to determine how the actual grouping
group line is displayed. In this case we are using the EXT templating technique.

  • {name: this.formatName} is the name of the column Header – it uses the formatName function to conditionally display the name of the column
  • {rows.length} is the number of rows within the group (the total)
  • formatName (referenced in the previous this.formatName) is a conditional function which determines if there is a value to even display as the group header. In this case if there are blank fields in the grouped column it will display “None” instead of just displaying nothing and a number.

After adding this new variable we have to add the feature to the grid in the features parameter:

var grid = Ext.create('Ext.grid.Panel', {
	renderTo: 'gridHere',
	frame: true,
	height: 400,
	title: 'Users',
	plugins: buffRend,
	features: [groupingFeature, filters],
	etc

Finally we need to tell the store which field to initially group using the groupField and groupDir parameters:

store = new Ext.data.Store({
	groupField: "state",
	groupDir: 'ASC',
	model : 'Person',
	autoLoad: true,
	sorters: {
				property : 'firstName',
				direction: 'ASC'
			},
	id: 'store',
	data: data,
	remoteFilter: false,
	buffered: false,
	proxy: {
		type: 'memory'
	}
});

That’s it – once again a big increase in functionality with a relatively simple incremental code addition to the grids we already had.

Some other neat things grouping does for us
When we have a grouped grid and we go to filter it the group header is dynamically re-calculated based on the filtered results

tot2

Adding the grouping feature to the grid allows us to group any of the columns by selecting the “group by this column” option which now appears in the column dropdown

tot3

tot4

As you can also see from the images above – the user has the option to remove grouping as well “Show in groups”

Conclusion
In this article I have only scratched the surface of the possibilities with the grouped grid. Good looking categories with counts are something we have strived for in Notes for a long time and I think this is a very neat solution.

Posted in EXTJS, EXTJS in XPages, XPages | Tagged: , | 2 Comments »

Editing and testing your XPages CSJS “in real time” using Chrome Developer Tools

Posted by MarkyRoden on June 12, 2013

In this article I will demonstrate how you can make live changes to your CSJS using firebug and chrome deveveloper tools and figure out where your bugs are happening before committing them to your XPages database.

Introduction 

First rule of thumb – put as much of your XPages Client Side JavaScript (CSJS) in a JavaScript script library as possible. The reasons are compelling and simple:

  • Separation of code makes for much easier maintenance
  • Changing CSJS libraries required a CTRL-F5 to view the changes and no BUILDING of the database code

The demonstration

I have created a very simple XPage and my code is not working – I want to find out why not. I could use the console to test my code and just run it before updating the CSJS library – but I wanted to show this method of debugging because it is probably more applicable to a more complex function than this simple one. The XPage source looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<xp:view xmlns:xp="http://www.ibm.com/xsp/core">
	<xp:this.resources>
		<xp:script src="/csjsFirebugChromeDemo.js" clientSide="true"></xp:script>
	</xp:this.resources>

	<xp:br></xp:br>
	<xp:button value="Click me" id="button1">
		<xp:eventHandler event="onclick" submit="false">
			<xp:this.script><![CDATA[changeMe();]]></xp:this.script>
		</xp:eventHandler></xp:button>
	<xp:br></xp:br>
	<xp:br></xp:br>
	<xp:br></xp:br>
	<div class="change"></div>
</xp:view>

As you can see I have a button, a div and an included CSJSFireBugChrome resource This is the library

function changeMe(){
	$('change').html('this changed')
}

When I load the XPage and click the button nothing happens – why not? Well it is because the jQuery selector is wrong.

$(‘change’) will select all the elements with a Tagname CHANGE rather than selecting the class change which is really what I was looking to do. Let’s see how we can play with this in two dev environments.

Firebug console

As I have mentioned in other articles – a JavaScript function is easy to over-ride in the console. The global namespace for web browser Javascript is “window” and all functions live there by default. To over ride them we just use window.functionname in the console and create our own function. This demonstration is also applicable to Chrome Dev Tools console.

The example below shows what happens when I over-ride the function through the console. Not that I have added the .changeMe in the jQuery selector.

fire1

Then when I run the script and click the button again – success

fire2

Chrome live editing

Opening Chrome Developer tools allows you to view the “Source” of the files used in your XPage and edit them. This technique only works on the scripts which are loaded through a library – you cannot edit the code if it is inline within your HTML code. When we look in the chrome source we can see the CSJS function already there – hit F12 to make it come up and select the source option. Click on the arrow top left

ch1

Which then gives us the function

h2

This is editable !! All you need to do is make the change and then do a CTRL-S the save the change. (This is of course only changing the cached version of the function in the browser and not saving it back in your XPage). When we click the button again it now works :)

ch3

Advanced changes using breakpoints

This is where it can get really cool :) As I mentioned before you cannot make changes to code which has already executed and code which in inline – but what you can do is set a breakpoint in the code and edit it before it is executed…..

In my EXTJS locking grid article I demonstrated that you can lock a certain column. Once the EXTJS code is run I cannot edit it through the Chrome source but I can make changes the code pre-execution using a break point. This way I do not have to keep saving  the XPage I can just reload the page and make changes as I see fit until I am happy with the code. This is the code and you can see the locked column is the lastname one.


    var grid = Ext.create('Ext.grid.Panel', {
        renderTo: 'gridHere',
        frame: true,
        features: [filters],
        height: 400,
        title: 'Users',
        store: store,
        iconCls: 'icon-user',
        columns: [{
            header: 'First123',
            sortable: true,
            dataIndex: 'firstname',
            filterable: true
        }, {
            text: 'Last',
            sortable: true,
            dataIndex: 'lastname',
            locked: true,                //here is the locked on lastname
            field: {
                xtype: 'textfield'
            },
            filterable: true
        }, {
            text: 'Address',
            sortable: true,
            dataIndex: 'address',
            field: {

I add a breakpoint in the code by clicking on the line number in the source code

br1

I then reload the page and the breakpoint stops where I told it to in the code execution

br2

I then change the code to lock the First123 column and not the lastname column by editing the JavaScript in the source

br3

et voila :)

Conclusion

In this article we have seen how using the Chrome Developer tools we can effect change to our CSJS without having to resort to re-saving anything in out XPage application. I especially like the breakpoint editing which *really* helps me to pinpoint my code errors and make sure they work before I change my XPage.

This is extremely productive

Posted in Chrome Dev Tools, FireBug, JavaScript, XPages | 3 Comments »

Adding a new browser to the XPages “Preview in web browser” menu

Posted by MarkyRoden on June 11, 2013

I wanted to add Chrome to my list of browsers which I could preview my XPages in and I went digging in the preferences and found out how

From within DDE (not the client) in File > Preferences under the general section there is a “Web Browser” option where you can add a new one

browser2

Then I had to find where Chrome was installed (obviously change UserName to your own path)

C:\Users\UserName\AppData\Local\Google\Chrome\Application\chrome.exe

Added it and there you have it – now in my menu :)

browser1

Posted in XPages | Tagged: | 11 Comments »

EXTJS in XPages #11 – Grids with Locked Column(s)

Posted by MarkyRoden on June 9, 2013

In this article I will highlight a grid column property which allows the developer to lock the columns on an EXTJS grid in a similar fashion to freezing a frame in excel.

EXTJS in XPages series

Here are links to all of the previous articles in this series

Demonstration

The EXTJS in XPages demonstration database can be found at 
http://demo.xomino.com/xomino/Extjs.nsf/xGridLocked.xsp

Download

The sample database that will accompany this series is  available from the menu in the live demo database from this link - 
http://demo.xomino.com/xomino/Extjs.nsf

Introduction

Locking a column (or two or three) is a very useful way of retaining reference information on the left and being able to scroll across multiple pieces of information to the right.

Doing so in an EXTJS grid creates the effect show below whereby a horizontal scrollbar is added to the grid to the right of the locked column.

lock1

How does it work?

It is a column property ‘locked = true’. The example code below uses the REST example as demonstrated before and I added the locked property to the first column. You do not have to use the REST service example, that was the just the one I chose.

    var grid = Ext.create('Ext.grid.Panel', {
        renderTo: 'gridHere',
        frame: true,
        features: [filters],
        height: 400,
        title: 'Users',
        store: store,
        iconCls: 'icon-user',
        columns: [{
            header: 'First123',
            sortable: true,
            dataIndex: 'firstname',
            filterable: true
        }, {
            text: 'Last',
            sortable: true,
            dataIndex: 'lastname',
            locked: true,         //this is the new property
            field: {
                xtype: 'textfield'
            },
            filterable: true
        }, {.....

That’s all you need to do. the caveat is that you must have at least one scrolling column on the right – which makes sense because if they were all locked – then there would not be a need to have any locked :)

Interesting side note – you will notice that I locked the Last Name column which is not the first column listed in the view – but it moved to the left. You cannot lock columns 1, 3, 5 and have everything scroll around them, locked columns move to the left. I would guess there could be a performance issue in not putting them into the grid in the right order so I would suggest you always list your locked columns first :)

Posted in EXTJS in XPages, XPages | Tagged: , | 2 Comments »

Getting rid of pointless white space page separators in MS Word

Posted by MarkyRoden on June 5, 2013

Thank you Simon Reid !

You are looking at a word document and it is a pain to move from one page to another because
 of the margins and a separator between each page
word1

Simple fix – mouse over the separation and double click

word4

How did I not KNOW ABOUT THIS??

word2

And even better with short pages with a break in them

word3

Productive !!

Posted in Just Marky, Productive or Lazy? | 2 Comments »

DCLUG – June 13 – Darren Duke – I Have a Traveler Server – Maybe I Should Secure it Some

Posted by MarkyRoden on June 3, 2013

This month we are delighted to welcome Darren and Lisa Duke of STS Inc. in Atlanta who are travelling to DC to present at the meeting !

Not only is Darren one of the most recognized names in the IBM Notes Domino community he is also a really entertaining speaker.

Even if you are not into Traveler, you should definitely come, be entertained and learn something new.

For more information on Darren – check out his linkedin page and if you want to talk Traveler while him and Lisa are in town – please get in touch with them


http://www.linkedin.com/in/darrenduke


http://www.simplified-tech.com/

—————————————————————————–

Here is the abstract 
An iPhone or iPad was given to you, “Make this work with Lotus”, you were told. And so your Traveler server was born, much like BES before it, with nary a thought for “production use”.
Traveler is a virulent technology, users flinging iPhones, iPads and Android devices at you at an alarming rate. There is no one-to-one relation for devices to users here… some folks have 4 or more devices attached to your Traveler server. You look like a rock star! “About time” you say to yourself.
But is it secure? Am I letting my users send free text passwords OTA (even with HTTPS there are more secure options)? Do you even know the security options available to you? Come learn what you can do to secure these slippery endpoints, these public facing servers and keep looking like a rock star……
Darren, technical guru at STS, the once vocal “bad cop” on “This Week In Lotus” podcast, Lotusphere and Connect speaker, sporadic blogger, ranting tweeter, and all round snarky guy will endeavor to both entertain and educate you in this neglected but very important area.

Location

3150 Fairview Park Dr, Falls Church, VA 22042

For more information please check out the meetup site


http://www.meetup.com/DC-Lotus-Professionals/events/121594322/

 

Hosting Facility information

——————————–
The DCLUG event is open to all; but please not that Noblis is a Cleared Facility and security regulations require that all visitors are badged. A state or federal issued picture ID is required to obtain visitors badge (NOTE: drivers license works best as some ID badges do not scan well).

If you are not a US citizen, DoD security regulations require additional information be obtained in order to issue a visitors badge. Please contact alan.hurt@noblis.org directly for further information.

Parking @ Noblis: There is visitor parking in front of building as well as a free parking garage. Parking will generally be open on upper levels

Posted in DCLUG | Leave a Comment »

OpenNTF Webinar – Getting Started with XPages – Tomorrow – 06-04-2013 10:00 EST

Posted by MarkyRoden on June 3, 2013

Tomorrow I have the honour of speaking with my mate Dave Leedy and presenting the second in the OpenNTF webinar series - Getting Started with XPages

Dave and I are going to go through a lot of information in a short period of time. The intention is to make the transition to XPages seem less scary, provide you information you need to know when making the transition and help you through the process.

This conversation is open to all developers of all skill levels and I encourage community members to attend and support OpenNTF and all those developers tuning in to find out more on the subject.

We are going to talk about:

  • Key concepts in XPages
  • Some of the  things you always wanted to do in Old Domino (good for selling XPages to your manager)
  • A live demonstration of how easy it is to create an initial app in the same manner as you would before.
  • Discuss some Rookie mistakes we all make
  • Look at some tools which make your life infinitely easier as an XPages developer
  • Detail and list some essential online resources for finding more information on XPages

Attendance is free and no registration is required. 

You can attend the webinars by simply joining the following IBM SmartCloud meeting. The e-meeting supports audio broadcasting. In order to speak you need to dial in the conference separately.


https://apps.na.collabserv.com/meetings/join?id=065-675

Meeting password: ICSAppDev


https://www.teleconference.att.com/servlet/glbAccess?process=1&accessCode=71387162&accessNumber=06924432290#C2
 
Passcode: 71387162

Posted in Just Marky, OpenNTF, XPages | Tagged: , | 2 Comments »

Writing a single library for SSJS and CSJS validation – first success

Posted by MarkyRoden on May 29, 2013

The other day I wrote about my failure to realize that CSJS and SSJS libraries shalt not cross  during my attempt to write a single library for CSJS and SSJS validation code.

Not to be out done and with some great suggestions from the wonderful Sven Hasselbach I trucked on into the next attempt.

Parameterized development

I first met this concept a few years ago. I was working on an application created by John McCann, and all the script routines for a suite of applications were sorted in notes documents. The application would look up the code it needed and then executed it as needed. This made for extremely efficient code management and the ability to make updates to code snippets without changing any “code”.

Using this design pattern I set out to create a simple document in a view with a simple JavaScript function within it – the “are the fields the same” code I used in the previous article.

js1

I then created a Java Bean to access the notes view and get the field value.

(Yes I could have done it in SSJS – but hey this is a learning exercise as much as anything and the more Java code crosses my path (as rare as it is) the more likely I am to get familiar with it)

The bean is pretty simple and I am not going to detail the how’s and why’s and when’s of the bean – if you want to learn more about beans go see Russ Maher !!

package com.xomino.jsLookup;
//load import for Domino classes
import java.io.Serializable;

import lotus.domino.*;
import lotus.domino.local.Database;
import lotus.domino.local.Document;
//import for JavaServer Faces classes
import javax.faces.context.FacesContext;
//var marky = com.xomino.jsLookup.getValidationCode.getCode
public class getValidationCode implements Serializable{

	/**
	 *
	 */
	private static final long serialVersionUID = 1L;
	private String theCode;

	public getValidationCode() {
		System.out.println("Starting Bean");
	}

	// open method, this actually runs the whole App
	  public String getCode(){
	      System.out.println("MARKY SSJS");
	        // let's add a try catch here, to grab errors near the end
		    try {
		      // Declare Variables, one to hold Documents/ and page through results with the other
		      Document doc;
		      //BEGIN DEBUG
		      Database database = (Database) FacesContext.getCurrentInstance().getApplication()
		      				.getVariableResolver().resolveVariable(FacesContext.getCurrentInstance(), "database");
		      System.out.println("Database Obtained..." + database);
		      // Find the view in question
		      View view = database.getView("jsValidation");
		      System.out.println("View Obtained..." + view);
		        //get the document
		        doc = (Document) view.getFirstDocument();
		        System.out.println("Doc Obtained..." + doc);
		        System.out.println("Loading to Xpage...");
		        // process the document in the View
		        //recycle to free up mem
		        theCode = doc.getItemValueString("js");
		        System.out.println("Loading to Xpage...");
		        doc.recycle();
		    } catch (Exception e) {
		      e.printStackTrace();
		      System.out.println("FAIL");
		    }
			return theCode;
	  }

}

Big thanks to the Java Guru known as David Leedy for pointing out my inability to watch notesin9 videos correctly and learn how to do beans

Anyway the interesting code

The code which is stored in the notes document is just a simple JavaScript function

function checkPasswords(){
    if (getComponent("Password").getSubmittedValue() != getComponent("ConfirmPassword").getSubmittedValue()){
      return false;
    } else {
      return true;
    }
}

Back in my XPage I set up two sections for code – one for SSJS and one for CSJS

The CSJS code which will run on the web page looks like this (return lookupCode.getCode())

<xp:this.resources>
	<xp:script clientSide="true">
		<xp:this.contents>
			<![CDATA[${javascript:
				return lookupCode.getCode()
        		}]]>
		</xp:this.contents>
	</xp:script>
	<xp:script src="/libValidation.js" clientSide="true"></xp:script>
</xp:this.resources>

In this context the text string returned from the bean feeds directly into the contents of the script library – looks like this in the page source:

js3

The keen eyed among you will have noticed I also included the libValidation.js function which I created in the last article which is the CSJS equivalent of the getComponent(x).getSubmittedValue()

The SSJS code is similar but with one crucial difference:

<xp:validateExpression message="Passwords Must Match"><!-- (2) -->
	<xp:this.expression>
		<![CDATA[#{javascript:
			var theCode = lookupCode.getCode()
			eval(theCode)
			return checkPasswords()
		}]]>
	</xp:this.expression>
</xp:validateExpression>

In the SSJS I have to use “eval” to evaluate the text string which is returned from the bean. This works just fine – but eval is very very evil and I do not like this approach at all. But right now we are talking proof of concept so I am ok with it in development but would never use this in production. If the contents of the lookup document were compromised this would expose a massive hole in the security of the entire server – but that is a blog post for another day……

But the same code (lookupCode.getCode()) was used to get the code and if you notice checkPasswords() is then called in this context to test if the fields are the same.

Running this through a browser (with no CSJS yet) we can see a successful test

js4

Then the CSJS is called from the onClick event of the submit button

<xp:button value="Submit" id="button1">
  <xp:eventHandler event="onclick" submit="true" refreshMode="complete" immediate="false" save="true">
    <xp:this.script>
    <![CDATA[
      if (!checkPasswords()){
        alert('passwords must match')
        return false
      }
      ]]>
    </xp:this.script>
  </xp:eventHandler>
</xp:button>

Which looks like this

js5

So why are we doing this again Marky?

Well the point is that CSJS alone is a better experience for the user but it is not secure – so if we can write the validation code once it can be used Client Side and Server Side with the minimum of duplication

Here is how I break the CSJS validation and bypass it – see in firefox – I can override the checkPasswords function to show a different prompt and then return true – submitting the form

js6

Which is then validated using the SSJS – securing the application :)

js7

Summary

In both cases we were able to use the checkPasswords() function which was written once and stored in the notes document So as far as I know this is the first example of using the same JavaScript code to validate a form client-side and server-side – which was the initial goal – there is some improvement to be done here though I am sure

Caveats

And there are a few…..

  1. For the uninitiated the eval function is evil and should not be used in production code unless you can absolutely guarantee  the security of the source.
  2. Looking up the code in a document has an overhead and this would not scale well over many functions and many documents
  3. There is a lot more code written to save copying and pasting a few lines of code in this case – this did not make my life in any way shape or form easier
  4. There has to be a better way – and the quest has only just begun

Posted in JavaScript, XPages | Tagged: , | 5 Comments »

The original DBIcon image path is stored in the database

Posted by MarkyRoden on May 28, 2013

I noticed the following as it popped up in my DDE search for “iPad” – something just to be aware of.

Don’t upload the DBIcon from a path you would consider inappropriate – it remembers :)

 

dbicon

Posted in Just Marky, XPages | 5 Comments »

« Previous Entries