FOSS and When the Internet Remembers

Funny thing about publishing free software, initially you want people to use it. But after they do, they may ask for free support or small problems in what you wrote eat at the back of your mind Could I be hurting someone more than helping?). How long should we support our FOSS projects & at what personal cost?

Around 2011 I published a collection of PHP XSS filters to a Github gist. The collection had started several years before that & evolved over time. At one point it secured a multi-national social advertising service Levi’s ran & was included in two minor CMS frameworks.

Five years later a security researcher found a pretty major flaw in the logic. I’m pretty happy it took five years to find that, but ouch it was a big security hole.

So … I’ve updated my xss_clean.php gist & contacted one project that still uses it. If you’re searching for an XSS filter, do me a favor & try HTML Purifier or the kses libraries. Currently & hopefully for a while longer, their creators continue to have enough time to keep them up-to-date.


Location APIs, Not Currently Eating the World

Foursquare, Facebook, Twitter, and Yelp have all removed timestamped location-specific data from their APIs. Is there any location check-in data from a major site anymore?


All of these sites’ APIs used to have some form of user check-ins in their APIs. I’m not sure why check-in data is gone now … The sites could be hiding app-usage from other sites (or investors?). Or possibly it prevents new apps from building competitive features first.

Those arguments shouldn’t hold water, or I’m missing something. Big corporations can buy a firehose of data like Gnip & derive check-ins without needing users to manually do it. And, preventing startups from coming up with new ideas isn’t typical in tech. Helping a dozen different apps to build & test new ideas, then buying the successful ones is even easier now that Google, Facebook, and Twitter are public. Had someone built a way for dry cleaners to track each other’s check-ins and Facebook/Yelp/etc couldn’t afford to let their advertisers feel cornered?

Regardless of why. It’s unfortunate and counterproductive to innovation.

After all, there’s a cheap firehose of location data available from mobile ad networks. A few dozen check-ins tracked in an API? How about 16,000 devices tracked at the Iowa Presidential caucases. Integrating with all those mobile ad exchanges is a bit time-consuming, but the data is higher-volume and a heck of a lot cheaper than Gnip’s. After all, the mobile ad exchanges are providing this latitude/longitude data for free: It’s part of the targeting data provided *before* an ad impression is purchased.