Twitter breaks its tinyurl expansion functionality

Update: This issue is fixed now. Issue seems to be with bit.ly urls alone, though doesn't look like an issue on bit.ly's side as their API for expand is working fine.

Twitter has functionality on its search results page where users can click on expand for tinyurls to see the actual destination url. But that functionality is broken and its not functioning any longer.
Clicking on expand link will send an xmlhttp request which will be of the form

http://search.twitter.com/hugeurl?url=http%3A%2F%2Fbit.ly%2F4vdhsg, currently its not returning anything and so clicking on expand is showing nothing.
Will update this post once the issue gets resolved.

Google's Explaination on Flagging all the Sites as Malware sites

Google gave official explanation about yesterday's bug where Google flagged all the search results as malware. It wasn't a code push that actually caused the issue, but its a data push. Google maintains all the URL which are considered malware in a file. The URLs in this file are updated both manually and in automated way.
Yesterday the new version of this file was pushed to servers and the file contained '/' as one URL which is like * in the regular expression and so all the sites were listed as malware. Great that team was able to identify this issue soon and revert back the URLs file.
But the question remains is how did '/' get into the URLs list. It can be either manual error or bug in automated malware URL detecting code. Google claims it as a manual error and for that matter any tech company in such a scenario would not admit it as bug in the code. But how can a human whose daily job is to update these URL be unaware that entering '/' would mean all the URLs or is he some disgruntled employee who got pink slip recently?
Now will ecommerce sites like e-bay or amazon sue Google as they may have definitely made losses during this 55 minutes where there site have been shown as malware sites?

Stop Writing in Toilets and Start Testing

After few recent incidents, I feel that all the Google testers are busy writing on the toilets (Read about Testing on the Toilet) and forgot testing the software. I would request them to please concentrate on testing software and not to just claim themselves as best testing/QA team of the world. Google definitely have some of best testers who helped build world class web applications, but quality soon seems to be deteriorating.
First, it was the security loop holes in Google's Chrome browser which surprised me. Just an hour back Google Search started showing all the results as malware sites,which may harm you computer. This lasted for about 15 minutes. On lighter side, Google may be trying to show all non-sponsored results as malware so users will end up with no option but to click on sponsored ads.
One more issue on orkut, I was trying to submit an orkut app from couple of days with no success using this url. I am constantly getting message as:
Bad, bad server. No donut for you.
Unfortunately, the orkut.com server has acted out in an unexpected way. Hopefully, it will return to its helpful self if you try again in a few minutes.
There was no response from them even for an email. Lets see how long this will remain.

What do you guys feel? Is Google slowly losing on the Quality front?

Zapak.com in Association With Pringoo ....

Pringoo, custom T-shirts and gifts portal struck partnership reliance's gaming portal zapak.com. As a part of this partnership pringoo allows you to create the gaming related custom merchandise. The partnership is similar to asklaila-msn partnership.
Zapak shopping has the custom pringoo page as an iframe. Basically pringoo is counting to get more traction from zapak's partnership and zapak may be looking to make some revenues out of this deal. Zapak recently has closed down the bangalore office and is in cost cutting mode. These kind of deals will help zapak raise some money to sustain, Zapak spent a lot of money on marketing initially and in process got brand image and now they should use that image to get back the money :).

Bug: If any user visits http://shopping.zapak.com the header shown will be that of zapak, now open http://pringoo.com in same browser session, you will still be seeing the zapak header (it should have been pringoo's header). Pringoo may want to fix this thing, you may want to look at way you are handling the cookies.
Guys, what do you think of this partnership?.

Also read: AskLaila powers msn cities

Reading the Javascript Variables in PHP: A Common Mistake by Developers

Javascript gets executed on client side and PHP on the server side. Most of web developers will be aware of this fact. But when asked a question how would you be reading a javascript variable value into PHP, the reply from many would be to do it this way:
$total = "<script language=javascript>document.write(subtotal);</script>";
which looks valid and infact a code like the would definitely work
<script type="text/javascript">
var subtotal=100;
</script>
<?php
$total = "<script language=javascript>document.write(subtotal);</script>";
echo "Total1: $total<br>";
?>
Yes this code works as expected, actual problem is when user tries to go ahead and use this variable further in the code. For example:
<script type="text/javascript">
var subtotal=100;
</script>
<?php
$total = "<script language=javascript>document.write(subtotal);</script>";
echo "Total1: $total<br>";
$total=$total+10;
echo "Total2:$total<br>";
?>
Now just guess the output of this program. Wanna know if your guess is right or not just check here. How many of you guessed it would be
Total1:100
Total2:110
This will not be what is printed in the browser because $total = "<script language=javascript>document.write(subtotal);</script>"; does not actually set value of $total to value of javascript variable total, it is set to the string and browser just changes that string to actual value (i,e a javascript execution). This looks like very basic things but some developers do write thi kind of code. Better way is to save such javascript variables as part of cookie and use it on subsequent PHP code.

Cross Site Scripting Vulnerability With An Example

Cross Site Scripting (XSS) is vulnerability typically found in web applications which allows code injections into web pages which are viewed by others. Most of the times the code is client-side scripting code. There are many ways in which XSS vulnerabilities are exploited. Here is one such way.

1. Mallik sends a URL to XYZ (via email or another mechanism) of a maliciously constructed web page.
2. XYZ clicks on the link.
3. The malicious web page's javascript opens a vulnerable HTML page on XYZ's browser.
4. The vulnerable HTML page contains javascript which executes in XYZ's browser's local zone.
5. Mallik's malicious script now may run commands with the privileges XYZ holds on her own browser.

Most of times these javascripts basically steals the user cookie. Lets try this out on Ibibo website. Here instead of writing javascript which posts the user cookie to some server I am simply embedding the javascript code which displays the user cookie details.

1. Mallik sends the URL http://www.ibibo.com/search.aspx?q=%22%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22 to XYZ.
2. When XYZ clicks on this link the javascript gets executed and at that moment if user is logged into ibibo, all the cookie details will be shown (Ibibo is saving the password as well in plain format which is more dangerous if cookie gets stolen)

Basically the above link injects "<script>alert(document.alert)</script>" code into the HTML page. Attached is screenshot of what happens when user clicks on above link. In Image mp="" is blanked out because that is basically my ibibo password :). Get your web applications certified for being XSS Vulnerability free, contact us at mallik_y2k2

Common Bug in HTML While Using Multiple Layers

One feature many recent Web 2.0 companies have is multiple layer on the websites. For example when user clicks on say "Add" which needs authentication then it shows a login form as popup. This pop-up is basically div with z-index grater than original webpage. The div code is basically present in already existing HTML code but is hidden, this is showed on clicking say "Add". You can read more about z-index here. In these kinds of cases if the hidden div code of page is already present on the page at some location, then we need to ensure that the ids given to both of them are different.
For example, Pixrat is one such site which uses this layers funda for Login form. When user tries to bookmark some of the image without logging in, it shows up login form which also has a radio button for register. When register radio button is selected instead of chaning the fields in the popped-up login form it does that for login-form present on right hand side. This could have been avoided if we have given different div ids for div on right hand side and popped up div. I have seen this kind of error on other websites as well.

MS Word Spell Checking Functionality

MS Word has a spell check functionality, once you complete writing a document if you press on F7 then spell and grammar check will start and suggests a word for each wrongly spelt word. Also, their is a feature for replacing all the occurances of one mis-spelt word with other. Lets say the text is :
Testing software cin also CIN also Cin and also CiN and also cIN
Now press F7, it will show the cin as mis-spelt word and suggest can as write word and there is option to change all these mis-spelt words at one go, so the expected result after this operation will be :
Testing software can also CAN also Can and also Can and also can [Assuming it replaces irrespective of case or else it should prompt user when CIN appears, since it can be abbrevation for some word]
But what actually happens is :
Testing software can also CAN also Can and also CiN and also cIN [It replaces the first three occurances of cin and promts for 4th occurance, I could'nt understand the logic here]

I am not sure if this is a bug or by design, lets hope Microsoft guys will respond to this and clarify.

Testing Triangles : Bugs

Yesterday, I was looking at testing triangle exercise posted here. As it happens I was just curious to look at the code straight away, fortunately I could access the code as it was javascript. So looking at the code, leaving apart the graphics code the most important thing was the condition "this.s1 >= this.s2 + this.s3" which gives invalid triangle, other conditions are straight away. The cases which are not handled here are:
- When all sides are given as zeros, in which case it is a point which I feel is also a triangle, but the above condition fails.
- There is no check that sides can only be positive intergers/floating point numbers, so it can take non-negative intergers and strings as well, in which case the results makes no sense. In case of strings it may end up with NaN at many places with weird behavior.
Interesting bug is that for condition "this.s1 >= this.s2 + this.s3" to work, whatever the order in which user enters the values, we need to sort it such a way that s1>=s2>=S3 (or atleast s1 should be the maximum of all the three sides) for this, I had to check whether the sorting function works properly or not. The interesting thing is that sort fuction used in this code was string sorting and not numeric sorting.If input is 8,7,9, sort function will reorder them as 7,8,9, but in case input values are 9,12,7 the sort function is reordering them as 12,7,9. So from this we can make out that sorting is happening based on string matching and since 1 < 7, it has sorted 12 as less than 7 :). The cases wherin the graphic does not appear properly are because of this sorting itself.
Well one thing, I would definitely missed out using just code inspection is the case where user enters 2.1,2.2,4.3, which should have been an invalid triangle, but 2.1+2.2 is being calculated as 4.300000000000001 which is greater than 4.3 and hence it gives as scalene triangle.

[Bug] Blog not Getting Indexed by Search Engines

During last one week, there was zero traffic from Google to my blog when I looked at what was the problem, I saw that none of my blog articles are indexed by the Google and there are no results from my blog. And I was looking at the template of my blogger there is one line <$BlogMetaData $> which adds all the meta information. When I viewed the source code of the my blog I found the meta data containing the line
$ meta name="ROBOTS" content="NOINDEX,NOFOLLOW" $ ($ replaced by <,>)
I dont know why/how this line was added to my blog. This actually means that these pages should not be indexed by any of the search engines. To solve this problem I had to remove <$BlogMetaData$> from the blog template manually and add all the lines shown in the source code about the page meta information except the last line shown above. There is some bug in blogger which probably added this line to the blog template.

[BUG] Yahoo Pipes Redefines The Union Operator

Yahoo has recently launched the new product called Pipes. The product name is taken from the world of UNIX where a pipe is for the transfer of data between applications. But Yahoo! Pipes goes beyond what just pipes are and what pipes do though as the application provides functions (or as they are called in the app - modules) that will perform a variety of different actions. As any product from major brands gets intial hype so did the Pipes and there servers went down for sometime just 8 hours after the launch. I was playing around with Yahoo Pipes over weekend, while there was lot of scope for improvement in terms of usability as a tester I just wanted to try out few things. I started creating a pipe which has two fetch modules both the fetch modules were given the same url to extract (http://feeds.feedburner.com/softwaretesting) the output of these pipes was given to an Union operator which supposedly Unions the output of the two fetch modules. In general the Union operator is expected to combine the output of the two modules and remove the duplicate.

So I did expect the same but the output was that each article on by blog was repeated twice in the output. This behavior of Union operator while deviates from the general definition, also does not make much sense in Pipes use case. You can try this pipe here. Though the RSS readers may detect these duplicates should'nt Yahoo pipes be handling it.
Hope that Yahoo takes a note of this bug and fixes it soon.