Indistinguishable from Jesse

This simple hole allows any site to change your Google preferences behind your back. Someone could change your Google interface language to Pig Latin. (Why Pig Latin rather than, say, Russian? It's more fun, and the "Google.com in English" link isn't as obvious when the surrounding text looks like English.) Someone could make your searches only turn up English results. Worst of all, someone could stop you from using Google to search for porn by turning on SafeSearch.

Slashdot's solution to this type of hole is "formkeys". I don't know how other sites solve it. But one incorrect solution is to check referrers. (Update May 5, 2005: I'm no longer sure checking referrers is incorrect.)

Webmasterworld's "hitchhiker" and I found a security hole in Google today. He searched for something like "this can't be true" and his browser reported a JavaScript syntax error. I pointed out that with a carefully constructed query string, you can get Google to spit out something syntactically valid that does whatever you want. For example:

http://www.google.com/search?q='+alert(document.cookie)+'
causes Google to generate the following onClick attribute: onClick="c('http://images.google.com/images?q='+alert(document.cookie)+'
&hl=en&lr=&ie=UTF-8&c2coff=1&safe=off','wi',event);"

If you follow the link and click a tab (web, images, groups, directory, news), you'll see your Google cookie in a dialog.

Hitchhiker responded:

I just can't believe G made that kinda mistake.

ESCAPE ESCAPE!

Escaping is not always the best solution. When I found a similar hole in some JavaScript code in Mozilla, ducarroz's solution was to use an alternative window.setTimeout syntax. The normal version of setTimeout takes a string to be parsed and executed; the alternative version takes a function and parameters. Instead of escaping the untrusted input, we avoided parsing a string containing the untrusted input.

Retail clerks and meat cutters initiated a work stoppage at the three major Southern California grocery store chains, including Vons. This labor dispute has affected operations at stores that fulfill Vons.com orders. As a result, we have suspended delivery operations for the time being. We will notify shoppers when Vons.com deliveries will resume. Thank you for your patience.

The words "strike", "union", and "health care" are notably absent from this statement shown to Vons.com customers.

I also tried signing up for Albertsons.com, which I had never used before. Albertsons.com has also suspended its service. Like Vons, Albertsons avoids the word "strike", but at least it doesn't hide "labor dispute" in the middle of a paragraph and try to blame its employees.

Unfortunately, due to a labor dispute, Albertsons.com is unable to serve you today.

We are sorry for the inconvenience and hope to resume our online service as soon as possible.

I might have to beg for a ride (or walk) to a physical grocery store for the first time in a year. I haven't decided whether to cross the picket line at the local Vons or find a non-unionized grocery store.

• Mozilla: 59.6% (76.6% Firebird)
• MSIE: 27.5%
• Opera: 2.3%
• KHTML: 1.2%
• Other: 9.4% (includes robots)

Sara Saperstein told me that at Reed, students who don't know what major they are often become psychology majors. Partly as a result of this, the psychology major isn't as challenging or as interesting as it should be. Sara is no longer a psychology major.

At Mudd, engineering is the (unofficial) default major. Engineering is also the most difficult major in terms of course load: it has difficult labs, 3 semesters of Clinic, and allows students only 1 free elective for their entire 4 years. I don't know why it's the default major despite being so hard.

Do other colleges have "default majors"?

"Eternal Engine of Linguistic Massacre", a song title translated from Japanese, seems to sum up the entire Engrish phenomenon. It is song 5 on the second CD of the soundtrack of a Japanese game called Valkyrie Profile. But when I found the original title of the song and showed it to Gabe, he decided it was translated correctly and didn't make any more sense in Japanese.

Pop-ups kill.

Gabriel Neer: "Governating the countryside! Governating the peasants! Especially the women!"