funkatron.com

A few of you may know of a small app I did in AIR a while back called Searchatron. It’s mostly a proof of concept, but does have some usefulness in making it a bit easier to track multiple Twitter search queries. Searchatron uses an MVC-style pattern similar to how the next version of Spaz will be built, and much of Searchatron’s code provided the basis for the SpazCore component library.

As more of you may know, I’m very interested in the new Titanium platform. It’s similar to AIR, but fully open-source, and much more extensible. In order to learn more about Titanium, I tasked myself last week with converting Searchatron from AIR to Titanium. The whole process only took a couple hours. You can download the result from http://get.titaniumapp.com/app/12GKqr3.

What’s interesting is that Appcelerator, the creators of the Titanium platform, are running a contest right now. Two $500 prizes will be awarded for the most downloaded app, and the highest-rated app, respectively. If Searchatron wins either of these prizes, I’m pledging now to use the prize money to support further development of Spaz and the SpazCore project, in the form of cash gifts to our most giving volunteers. It might not be a lot, but it does mean real money is going to people working on open-source development. I hope to continue doing so when feasible and prudent.

If you’re interested in helping, this one is pretty easy: download Searchatron, and if you like it, suggest others do the same. Feel free to point them here if you like. By doing so, you’ll be doing a lot to encourage the continued development Spaz and its related projects.

• Download Searchatron
• Searchatron Source
• Titanium App contest

We don’t sign Spaz with a code signing certificate generated by one of the 4 (as of this writing) certificate authorities Adobe accepts. This means that when you install Spaz, you get a scary “Publisher:UNVERIFIED” warning. This is why we don’t sign, from a letter I wrote when asked about it in Spring 2008:

If I sign Spaz with a paid-for Thawte cert, I am on the hook every year for a Thawte cert. I can’t change my cert signer or go back to a self-signed cert without breaking auto updating (at least as I understand it), and I’m therefore locked into a $300 expense every year. That’s not terrible for a commercial app backed by a company, but that’s a pretty significant chunk of change for a free, open-source app developed by one person as a hobby to lay out.

I’m familiar with how certs work, and how Thawte handles certification as compared to other, less expensive cert vendors. Were I convinced that Thawte did some kind of verification process/background checking on the applicant I could see the value, but at least with SSL certs, they certainly didn’t do anything more than vendors who donate free certs to EDUs.

Currently, there are 3 other CAs in addition to Thawte, and the prices range between $180 and $300 per year. Some of these CAs do seem to do a little more background checking. Still, the same arguments apply, especially the one related to cost.

Spaz doesn’t generate revenue, and relies on donated time from myself and a handful of other generous folks. Committing to a yearly expense in the hundreds of dollars seems unwise.

If this is something you would like to see change, I’d encourage you to ask Adobe to make code signing a realistic option for Free, Open-Source Software like Spaz by providing certificates free-of-charge – after a reasonable review process – to projects like ours.

As I’ve mentioned in the past, I’m currently working on a new project that’s been taking my time away from Spaz. While most details are still under wraps, I can say now that the new project is a version of Spaz for mobile devices. Rather than a port, this is a whole new codebase that takes advantage of all the stuff I’ve learned writing Spaz for AIR.

While I will still be working hard on the mobile app for at least another month, I have been thinking a lot about where the desktop app should be going. Here’s the plan:

• Version 0.8 will be the last version of Spaz using the current codebase. We are currently being held back by the design decisions I made, and they need to be tossed. Versions 0.9 and later will be based on a complete rewrite of the codebase. It will use an MVC-style pattern, and will be powered by the SpazCore component library. SpazCore being worked on now, and is hosted on GitHub at http://github.com/funkatron/spazcore/.

• I may switch from the AIR platform to Titanium for the new Spaz codebase. I am still weighing this decision, but I’m very interested in TI, especially after having the opportunity to meet the development team last week. They have a very strong platform, and their approach is very much in line with the “Spaz philosophy.” http://titaniumapp.com.

• Feature-wise, I’m targeting all¹ existing features, plus:

  • multiple instances of the “main” windows (basically the current Spaz window, multiple times for multiple accounts)
  • multiple search windows with auto-updating results
  • less reliance on the web site for user and message details

Spaz should still be very suitable for average Twitter users (under 100 friends), but will also offer powerful search features for folks who need them. And of course, Spaz will still be completely open-source under a New BSD-style license.

Questions? Comments? Post them in the Google Groups thread

The coming weeks are gonna be a little hectic for me, as I fly to Atlanta on the 12th to attend php|works / PyWorks 2008. I’ll be doing the following talks:

• Building Desktop RIAs with PHP, HTML and Javascript in AIR
• The CodeIgniter Framework

I’m pretty excited about php|works / PyWorks 2008, especially because we can interact with the Python community and learn more about each other’s tech. Cross-pollination is a Good Thing.

I’m flying back to IND on the 15th, but then I’m leaving again on the 16th for San Francisco and the Adobe MAX 2008 conference. I’m giving the following talk:

• Developing Rich Applications with jQuery and Adobe AIR

Originally this talk was going to be given by John Resig, creator of the jQuery library, but he ran into some time constraints and thoughtfully suggested me. Of course, the description still mentions his name, which likely means I’ll be tarred and feathered by the audience. This also looks like it may be the largest audience I’ve ever given a talk before: there are currently about 70 folks listed as attending, with ~300 capacity. So if I wet myself on stage, please forgive me.

I love me some JSON. It saves me tons of parsing headaches when exchanging data between web services because it maps so well to concepts shared among most common programming languages. It’s super easy to take a PHP object, convert it to JSON, and then push it to a Javascript (or a Ruby, or a Python) app.

Because JSON is valid JavaScript code, the most common method for converting it into native JS objects is to just eval the JSON. This is an extremely bad idea, because it opens your app up to all sorts of code injection attacks. Even with “trusted” sources, a security failure on your source’s end, or just a disgruntled employee, could wreak havoc on your apps and your users. I’d recommend reading Douglas Crockford’s “JSON and Browser Security”. Go ahead; I’ll wait.

jQuery, which we’ll use for all our examples because it’s awesome, will in many cases automatically parse JSON responses for you. This, as we learned above, is a Bad Thing. The following Ajax methods will automatically parse JSON in jQ (as of 1.2):

• jQuery.getJSON() – always
• jQuery.ajax() – if type is ‘json’
• jQuery.get() – if type is ‘json’
• jQuery.post() – if type is ‘json’

So my rules of thumbs are:

1. never, ever use $.getJSON()
2. never, ever set the type option to ‘json.’

To force the issue, I set my type to ‘text’ in my ajax calls. For example:

<script type="text/javascript" charset="utf-8" src="/js/jquery.js"></script>
<script type="text/javascript" charset="utf-8">
    $.ajax('http://twitter.com/statuses/public_timeline.json', function(data, textStatus) {
        alert('Status is '+textStatus);
        alert('JSON data string is: '+data);
    }, 'text');     
</script>

In the example above, we’re including the jquery library with the first <script> tag, and then calling the jQuery.ajax() method in the second. We’re passing three parameters:

1. the URL we’re pulling the JSON string from. In this case, it’s the Twitter public timeline
2. an anonymous function that’s called when the request is successful
3. the type of data we’re getting, as a string. Using ‘text’ ensures no extra processing is done on the response string

So this is great, but all we’ve got is a string of serialized data, which isn’t terribly useful. Thankfully, there’s a handy library at JSON.org that takes care of parsing JSON without using eval without using eval on non-JSON code¹. The library gives us two methods: JSON.parse() for turning a JSON string into a JS object, and JSON.stringify() for turning a JS object into a JSON string. So let’s utilize JSON.parse() in our code, and actually do something with that data:

<script type="text/javascript" charset="utf-8" src="/js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="/js/JSON2.js"></script>
<script type="text/javascript" charset="utf-8">
    $.get('http://twitter.com/statuses/public_timeline.json', function(data, textStatus) {
        alert('Status is '+textStatus);
        alert('JSON data string is: '+data);

        // this will give us an array of objects
        var public_tweets = JSON.parse(data);

        // iterate over public_tweets
        for(var x=0; x < public_tweets.length; x++) {
            var twt = public_tweets[x];
            var elm = '<div class="tweet" id="'+twt.id+'"> \
                <a href="'+twt.user.url+'"><img src="'+twt.user.profile_image_url+'" /></a> \
                    <div class="tweet-text">'+twt.text+'</div> \
                </div>';
            $('BODY').prepend(elm);
        }
    }, 'text');
</script>

In the modified example above, the second script tag loads the JSON2 library. We then use the JSON.parse() method to turn the data string into a JavaScript object – in this case, and array of Twitter message objects. Then we iterate over the array, building a string of HTML for each entry and prepending it to the <body> tag (so the newest item is on top).

Note: If you’re using this code on a remotely-hosted html page (or loading it as a local file under Firefox 3), it won’t work, and if you check in your error console you’ll probably see a security warning. That’s because our $.get() call directly accesses the Twitter API hosted on Twitter.com, which is almost certainly not the domain your files are hosted on. When we try to do so, it violates the same-origin policy enforced by browsers. The only workaround that I think is safe is to set up some sort of proxy on your domain to pass requests – other approaches like JSONP rely on eval()ing the result, which is what we’re trying to avoid here. I’ll try to cover setting up a local domain proxy in a future post.

By handling JSON with a parser rather than just using eval(), we mitigate the risk of code injection. This helps us protect both our application and our users.