Experienced developers learn what their core business functions are and write whatever software they deem necessary to perform those functions extraordinarily well.... [In] choosing to fight that HTML sanitizer battle, I've earned the scars of experience. I don't have to take anybody's word for it -- I don't have to trust "libraries". I can look at the code, examine the input and output, and predict exactly what kinds of problems might arise. I have a deep and profound understanding of the risks, pitfalls, and tradeoffs of HTML sanitization.. and cross-site scripting vulnerabilities.
— Jeff Atwood, Programming Is Hard, Let's Go Shopping!
It's difficult for me to imagine that any core business function of a website is "expose XSS and XSRF vulnerabilities". In my experience, only novices think "I should write my own CGI parameter handling code!" while the experts think "Too much busy work; I'll work on something that matters." In practice, that novice approach is "I'll copy this code I found somewhere else and tweak it until it looks right." That's not learning. That's sympathetic voodoo magic. "I learn better when I code it myself" is an excuse which really means "I don't want to bother learning it at all!"
A real programmer really interested in learning would have started with test cases (and there are copious test cases available for this). Forget the "scars of experience". Instead, take advice from programmers who code with their brains, not their machismo.
He states in the comments that aside from the (allegedly) poorly written HTML Agility Pack, there was really nothing available for him for
But what about the "copious test cases available"?
nihiliad on 2008-10-21T20:35:54
I think the comment by Adam Gomaa on Atwood's blog nails it, especially:...I would have gone with a port of another language/platform's sanitizer, because I *guarantee* there are domain problems they've dealt with that you couldn't possibly have have thought up on your first iteration.
Atwood so far hasn't commented on whether or not he did that, or whether or not he thinks that's a good idea in general. The comments he did make, e.g. "scars of experience", suggest that he would answer "no" to both questions.
Re:I was confused by this, too
chromatic on 2008-10-21T21:05:42
There's great difference between rewriting existing code to learn (or because it's the "core competence" of your project) and writing code that doesn't exist. I've only met one person (Chuck Moore) who does the former rigorously, and I'll take the advice from him that that's the best way to learn something. Jeff Atwood? Not a chance.
I was totally with him until, "I don't need to trust libraries." I might not trust other people's libraries for some problems... but only after *trying* to trust them. I'm not sure I could even say that sentence out loud.
In my experience, only novices think "I should write my own CGI parameter handling code!" while the experts think "Too much busy work; I'll work on something that matters."
I take exception w/ this statement since it's probably not complete. Absolutes not always being right and all. (Hi everyone!)
For learning, anyone should write anything they can, as low or high level as their capacity allows. Write your own parser, your own number cruncher, your own implementation of IEEE floating point. It breeds experience in a general sense. 1) You'll learn the ups and downs of that little niche and 2) You'll learn to recognize when doing such is down right stupid.
For execution, trusted algorithms, and trusted code should be used when things matter the most. Use perl's split, or LWP, or some tried and true implementations of crap.
In one of the Stackoverflow podcast episodes, Jeff and Joel Spolsky discuss this at some length. Joel finished it off with a story about why the Excel team at Microsoft vigorously excised any dependencies to the point that they even had their own compiler. That, however, was back in the day when programmers had to seriously consider memory footprint, loading sequence, paging, and other things the most of us probably don't even know how to deal with anymore.
I've been going through all of the Stackoverflow podcasts before I come up with a judgement for the site, and my overall impression is that it sure is weird outside of my world where I have easy access to good information and clueful people. I guess it's not like that in the ASP.net world, and I don't know their ecosystem.
Still, I think Jeff is at that point in his career where he hasn't been crushed by the monotony of doing everything himself. It's a bit nostalgic; I probably thought a lot of the same things at that point in my career. Now I know that I don't really know that much and that I can't really predict anything. In the prescient but much aligned words of Donald Rumsfeld, there are "known unknowns and unknown unknowns". I don't think Jeff is reached the "unknown unknowns" phase yet, but that's fine. Once you get there it's a chore to do anything and you'd be totally uninterested in starting something like Stackoverflow.
Re:Working with Spolsky is rotting his brain
Aristotle on 2008-10-24T00:32:54
No, he never did. Jeff’s personal brand has always been about writing at an accessible level on a consistent schedule. He did not change much at all over time. If you think he has, it’s probably you changing and outgrowing him.
