Why does Rails do utf8=✓

I noticed Rails apps always does utf8=✓ in their URLs. Rails at one point of time even placed a snowman unicode glyph. Here’s what Yehuda Katz has to say on this regard:

This parameter was added to forms in order to force Internet Explorer (5, 6, 7 and 8) to encode its parameters as unicode.

Specifically, this bug can be triggered if the user switches the browser’s encoding to Latin-1. To understand why a user would decide to do something seemingly so crazy, check out this google search: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=diamond+with+a+question+mark+in+it. Once the user has put the web-site into Latin-1 mode, if they use characters that can be understood as both Latin-1 and Unicode (for instance, é or ç, common in names), Internet Explorer will encode them in Latin-1.

This means that if a user searches for “Ché Guevara”, it will come through incorrectly on the server-side. In Ruby 1.9, this will result in an encoding error when the text inevitably makes its way into the regular expression engine. In Ruby 1.8, it will result in broken results for the user.

By creating a parameter that can only be understood by IE as a unicode character, we are forcing IE to look at the accept-charset attribute, which then tells it to encode all of the characters as UTF-8, even ones that can be encoded in Latin-1.

Keep in mind that in Ruby 1.8, it is extremely trivial to get Latin-1 data into your UTF-8 database (since NOTHING in the entire stack checks that the bytes that the user sent at any point are valid UTF-8 characters). As a result, it’s extremely common for Ruby applications (and PHP applications, etc. etc.) to exhibit this user-facing bug, and therefore extremely common for users to try to change the encoding as a palliative measure.

All that said, when I wrote this patch, I didn’t realize that the name of the parameter would ever appear in a user-facing place (it does with forms that use the GET action, such as search forms). Since it does, we will rename this parameter to _e, and use a more innocuous-looking unicode character.

Very funky although this has since become my standard way of determine if the application is running on Ruby on Rails.

Promising changes in IE9

Microsoft Internet Explorer 9 actually looks promising.

Welcome To A More Beautiful Web – Welcome To A More Beautiful Web – Internet Explorer 9

While the internet has kept up with every changing needs, however the way we experience hasn’t, until now! Welcome to a more beautiful web with Internet Explorer 9. Internet Explorer delivers a more beautiful Web by using the full capabilities of Windows and PC hardware so your Web sites and applications are as immersive as the native applications running on your PC.

Bing is now default search engine on IE6

What a terrible practice. Microsoft appears innocent by claiming it is currently investing a solution.

Bing Is Now Your Default Search Engine On IE6, Whether You Like It Or Not

The Next Web reports that users of Internet Explorer 6 are being forced to use Bing as their default search engine — even if they’ve manually switched their preference to another search provider, like Google. Attempts to switch the browser to something other than Bing result in an error message.

While the vast majority of users affected probably won’t even notice the change, some are beginnig to complain (you can find threads in Google’s forums here and here). Microsoft has confirmed the issue to Search Engine Roundtable, explaining that it is currently investigating a solution. (Source: Techcrunch)

By the way Bing is currently my 2nd top referrer.

Critical IE vulnerability found, browser switch recommended

Critical Internet Explorer vulnerability found, browser switch is recommended.

Serious security flaw found in IE

The flaw in Microsoft’s Internet Explorer could allow criminals to take control of people’s computers and steal their passwords, internet experts say.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world’s computer users.

Said Mr Ferguson: “If users can find an alternative browser, then that’s good mitigation against the threat.”

But Microsoft counselled against taking such action.

“I cannot recommend people switch due to this one flaw,” said John Curran, head of Microsoft UK’s Windows group.

He added: “We’re trying to get this resolved as soon as possible.

“At present, this exploit only seems to affect 0.02% of internet sites,” said Mr Curran. (Source: BBC)

Browsing vigilantly is not something a normal user can do unless only use your web mail. The internet is filled with links all around. Even once in a while I ended up on phishing sites I try hard to avoid. It could be just an innocent advertisement.


A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to a use-after-free error when composed HTML elements are bound to the same data source. This can be exploited to dereference freed memory via a specially crafted HTML document.

Successful exploitation allows execution of arbitrary code.

NOTE: Reportedly, the vulnerability is currently being actively exploited.

The vulnerability is confirmed in Internet Explorer 7 on a fully patched Windows XP SP3 and in Internet Explorer 6 on a fully patched Windows XP SP2, and reported in Internet Explorer 5.01 SP4. Other versions may also be affected. (Source: Secunia)

I would recommend a temporary switch to a competing browser.

Why Ubuntu is better than Windows XP

Here’s a screenshot of a website for Windows XP:

Trojan in Windows XP

(Trojan in Windows XP.)

There is an animation of a Windows scanning utility discovering lots of trojan, an anti-spyware tool would be offered at the end. It tricks users into install something that they claim secure.

Here’s the same website in Ubuntu with the same animation:

Trojan in Ubuntu

(Trojan in Ubuntu.)

The screenshot would probably look realistic to a naive Windows XP user. And when you install the additional checking tool, who knows, you may end up with a virus.

I tried installing it in Ubuntu and couldn’t. Me sad.

[Thanks Irene for showing me the site.]

Hotmail has a new user interface

BUT it doesn’t work well in my browser. I couldn’t reply, I couldn’t get back to the inbox once I click on a message. The whole thing is just a disaster for me and I don’t know how to change it back. Seems like Microsoft is pushing this update batch by batch to their users.

Here’s a screenshot of the new interface:

Microsoft Windows Live Hotmail does not play well with Firefox

(Microsoft Windows Live Hotmail does not play well with Firefox.)

Of course, it worked for Internet Explorer but…

Anyhow, I should note that I do like the cleaner design. The new calendar is better too. And the contacts. Everything’s better… if and only if it works.

[By the way, there is still a huge wide advertisement slapped above the mail interface. I just crop it away because it is an advertisement.]

Google launching new browser – Google Chrome

Google is coming out with Google Chrome, an open source browser that takes cues from Apple WebKit and Mozilla Firefox. Does the world need another browser?

We will be launching the beta version of Google Chrome tomorrow in more than 100 countries.

The blockquote represent statements from Google blog. And just so you know, the world does not need another browser.

So why are we launching Google Chrome? Because we believe we can add value for users and, at the same time, help drive innovation on the web.

Ahahaa, love what they wrote there. Isn’t every product development about adding value to consumers and driving innovation. What a cliché.

We also built a more powerful JavaScript engine, V8, to power the next generation of web applications that aren’t even possible in today’s browsers.

Yay, one more browser to optimize.

We’ve used components from Apple’s WebKit and Mozilla’s Firefox, among others — and in that spirit, we are making all of our code open source as well. We hope to collaborate with the entire community to help drive the web forward.

It’s great that they’re taking cues from WebKit. You can see some Google Chrome comics here.

In general, an additional browser is a good thing for innovation. It’s probably the worst thing that could ever happen to web design or developing. Okay, actually the second worst, the worst being developing an additional skin for the iPhone just so to prettify things.

There was a time when Microsoft Internet Explorer is the de facto browser. While everyone’s not happy, remember that back then we only had one browser to test in. And that time Internet Explorer this version does not look the same as Internet Explorer that version, isn’t that just like what is happening right now?

AVG LinkScanner pretends to be IE6, screws up analytics

Speaking of Internet Explorer, AVG has been disguising as Internet Explorer to visit websites. Web developers and webmasters aren’t too pleased. AVG’s LinkScanner is estimated having to be downloaded by more than 20 million people. The LinkScanner attempts to disguise itself as a real live human click claiming itself to be Internet Explorer 6. It just screws up web analytics.

AVG disguises fake traffic as IE6

…webmasters who rely on log files for their traffic numbers may be unaware their stats are skewed. And others complain that LinkScanner has added extra dollars to their bandwidth bill.

…(Paid AVG) appears that scans now use these agents as well:

  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
  • User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
  • User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)

…the first agent is by far the most common. Which is bad news for webmasters. That’s also the Internet Explorer 6 user agent. Unlike the other two – and the original “1813” agent – it’s a perfectly valid agent that may turn up with real clicks.

AVG’s chief of research Roger Thompson says the for-pay LinkScanner is only using the IE6 user agent

In an effort to fix this problem, one web master advocates redirecting AVG scans back to AVG’s site. “Many webmasters simply tell LinkScanner to scan AVG’s site instead, so their site gets marked as malware free every time – while AVG gets handed the extra bandwidth cost,” says the webmaster of TheSilhouettes.org.

But this assumes that AVG is using a unique agent. And at the moment, it’s not. The send-it-back-to-AVG method may redirect legitimate clicks as well.

Which gets to the heart of the matter: AVG’s security philosophy is fundamentally at odds with webmaster peace of mind. The company wants to scan search results, and it wants to scan them in a way that’s difficult to distinguish from real traffic. “In order to detect the really tricky – and by association, the most important – malicious content, we need to look just like a browser driven by a human being,” AVG chief of research Roger Thompson has told us.

And if that causes problems for webmasters, Thompson says, so be it. “I don’t want to sound flip about this, but if you want to make omelets, you have to break some eggs.”

Clearly, the company doesn’t fully realize the importance of web analytics.

“In order to make an omelet you have to crack some eggs. But a good omelet has cheese, ham, peppers, mushrooms and all sorts of other ingredients which AVG seem to have forgotten about.”

But AVG continues to say it’s working to solve the problem – including the bandwidth issue. Referring to LinkScanner’s new IE6-like user agent, Thompson told us, “We intend to leave those in place until we can find the right balance point which will allow us to continue to provide the best possible protection for our customers, without imposing too much extra bandwidth on websites.” (Source: The Register)


I was reading what the chief of research had to say – “If you want to make omelets, you have to break some eggs.” Sir, that’s just a nonsensical comparison, when you break eggs, you don’t get your neighbors to pay for them.

Bandwidth is a clear issue. It is not free. This solution is another example of how innocent parties are penalizes just because of a tiny number of visited sites infected with malware.

(By the way, I go around disguised at GoogleBot as my user agent. But that won’t hurt your bandwidth, I have reasons for doing so.)