
Tweet Compression - vog
http://www.tedunangst.com/flak/post/tweet-compression
======
vog
Since tedu often makes fun of the quality of other people's code, I wondered
how his own code would look like for a non-C project. So I had a look at this
small utility.

And to some degree of surprise, there are indeed several strange bits in the
implementation.

One example:

    
    
        document.getElementById("wrapped").innerHTML = w.replace(/&/g, "&amp;").replace(/</g, "&lt;")
    

Are we really so used to unsafe APIs that we prefer escaping even if the safe
API is actually shorter?

    
    
        document.getElementById("wrapped").textContent = w
    

Also, this is declaring a global variable "i" for no reason - probably forgot
a "var i"?

    
    
        function burrito() {
            var c = ...
            var w = ...
            var u = ...
            for (i = 0; i < fillings.length; i++) {
               ...
    

Finally, the preference for unsafe APIs continues, treating plain text as
regex, this time without proper escaping:

    
    
        var fillings = [
        [ "Th", "Þ" ],
        [ "th", "þ" ],
        ...
    
           w = w.replace(new RegExp(fillings[i][0], "g"), fillings[i][1])
    

While this is non-critical from a security perspective (because the
replacement list is hard coded into the program), this begs for bugs. Good
luck if you want to put something into your replacement list than contains a
".", "+" or similar. At least a small warning at the top of the list would be
a nice service to the future self.

