How to consume RSS safely

Excellent reading for web engineers: How to consume RSS safely.

Mark lists 10 HTML elements that must be stripped to safely display HTML from an RSS feed. He mentions stripping style attributes from RSS, but fails to mention an even more imporant set of attributes: the JavaScript event attributes.

Sure, you’ll want to leave <img> tags in the RSS feed, but what about those nasty onmouseover="..." attributes?

Kudos to Dennis the Headhunter

I got this “cold call” email today:

Date: Wed, 11 Jun 2003 12:19:09 -0700

From: Dennis R...

To: Michael Radwin <michael@...>

Subject: Could you/your family be interested in moving to Seattle

area to do Browser and/or algorithm work for AMAZON?

Hello Michael,

I know this is out of the blue.  No, we've never

communicated before, to my knowledge.

Please let me know if you're at all interested.


Dennis R...  -  Principal Account Manager

425-xxx-xxxx   or   800-xxx-xxxx

I told him “Thanks, but no thanks,” since I’m happy with my job right now and we’re going to be in LA for the forseeable future.

He did several things right that recruiters usually get wrong:

  • He was honest and direct, and admitted that he didn’t know me. Aside from jobs (often with companies you’ve never heard of), headhunters don’t have much to offer. The best they can do is show you courtesy and respect.
  • He thought about my family. That’s imprortant; I’m not some 22-year-old kid who can just pack up and move to a new city without affecting other people.
  • He called me Michael, not Mike. Unless you know someone personally (or they say otherwise), I think it’s professional courtesy to address someone by their full name. It’s the closest thing English has to Usted.

So, although I’m not interested in the job, maybe some of my readers are. Drop me a private email and I’ll forward Dennis’ contact info to you.


If you’re a Unix geek, you know about /usr/games/fortune.

If you know much about Yahoo!, you know that we like to name our software things that start with “y”. For example, my Making the Case for PHP at Yahoo! talk mentions our legacy yScript language.

Today, a rather clever co-worker of mine suggested a list of mantras that our engineers should repeat frequently to reach enlightlentment.

“Check in your code.”

“Document your APIs.”

“Have you written unit tests recently?”

“FreeBSD is just as good as Linux (for our needs).”

“Make sure to search devel before asking devel-help.”

“Microsoft sucks. But our users don’t care.”

Heh. Looks like a good start on yfortune.

Nullsoft WASTE on Linux?

Nullsoft (the Winamp people) today released WASTE, a secure, mesh-network IM/chat/file-transfer system. Looks kinda cool. They even GPL’d the code.

WASTE is initially available on the following platforms:

  • Windows
  • FreeBSD
  • MacOS X

Notice a particularly popular operating system missing from that list? No, I’m not talking about Solaris.

BusinessWeek on Yahoo!

BusinessWeek June 2, 2003 - Cover Photograph by The cover story of the June 2, 2003 edition of BusinessWeek is entitled Yahoo! Act Two.

As an insider, the article seems pretty accurate to me. It does a pretty good job explaining what’s changed about the corporate culture since Semel came on board. Our stock price is up almost 70% since the day he became our new CEO.

In the past two years, things have certainly changed a great deal. To remind yourself of the old Yahoo!, read the BusinessWeek cover story from May 21, 2001.

Moving from Pine to PC-Pine

PINE - a Program for Internet News & Email I hate email almost as much as I hate the web.

I’ve found that I’m using my Windows 2000 laptop a lot these days, but I’m still doing my email on my 4.5-year-old FreeBSD machine (running a vintage 2.2.7 kernel, complete with the a.out runtime linker bug). Switching back and forth between the two has turned into too big of a pain in the neck, especially since I seem to be getting tons of resumes (and various other attachments) in Word and PDF formats.

So it’s high time to switch to a Windows email reader. What’s the path of least resistance? PC-Pine.

Yes, it still has an olde-school xterm-like interface. No, it doesn’t display HTML or graphics. But it’s what I’ve been using for the past 8 years, and I’m not about to switch again. I made the great leap forward from good ol’ /usr/bin/mail to Pine back in 1995 and it took weeks to get used to a new interface. I don’t want to repeat that pain.

Our corporate IS department doesn’t support IMAP (only POP3), so I initially tried to get an IMAP server running on my ancient FreeBSD box and use fetchmail to pull from our POP server. But I couldn’t really get UW’s imapd to work. Instead of wasting time trying another IMAP server (folks here have suggested Inter7’s Courier-IMAP), I instead decided to use Pine’s native POP3 support in conjunction with the Mail Drop feature.

Porting my pinerc file from Unix to Windows was pretty easy. I had to make a few tweaks (looking up names in our corprate LDAP server instead of getting them from /etc/password, switching forward-slashes to back-slashes in folder names, moving my filtering from procmail to Pine’s built-in filtering feature, etc.) After a couple of hours, I’m up and running in an environment that feels really familiar.