FLOSS Project Planets

In this interview, Michael Anello opens up about his experiences, challenges, and triumphs in Drupal. From teaching engineering to steering DrupalEasy, he shares unfiltered insights into Drupal's evolution, the hurdles beginners face, and his vision for the future. Michael reflects on 2023, offering a genuine look into his professional highs and challenges with a sneak peek into what lies ahead for DrupalEasy. Join us for a straightforward exploration into the heart of Drupal, guided by Michael's authentic perspective.

It's a new year. What better way to start it than submitting your talk or workshop for DjangoCon Europe 2024, in beautiful Vigo, Spain?

The Call for Proposals (CFP) is open now, and will be until midnight on February 29th. That's two whole months, but you don't have to leave it to the last minute:

DjangoCon Europe 2024, Vigo CFP

We're looking for a range of talks on technical and non-technical topics. We're looking for talks accessible to all skill levels, and we're looking for submissions from new and seasoned speakers.

If you're asking, can I do this? The answer is yes. If you've got a topic that interest you, then it interests us.

If you've got half an idea, or aren't sure in any way, and want to chat, you can jump on the DjangoCon Europe Slack, and find us there.

Don't be shy, we want to hear from you!

DjangoCon Europe 2024, Vigo CFP

We'll see you in Vigo!

When you start your programming adventure, one of the most fundamental concepts that you encounter early on is the array. If you’ve recently switched to Python from another programming language, then you might be surprised that arrays are nowhere to be found as a built-in syntactical construct in Python. Instead of arrays, you typically use lists, which are slightly different and more flexible than classic arrays.

That said, Python ships with the lesser-known array module in its standard library, providing a specialized sequence type that can help you process binary data. Because it’s not as widely used or well documented as other sequences, there are many misconceptions surrounding the use of the array module. After reading this tutorial, you’ll have a clear idea of when to use Python’s array module and the corresponding data type that it provides.

In this tutorial, you’ll learn how to:

• Create homogeneous arrays of numbers in Python
• Modify numeric arrays just like any other sequence
• Convert between arrays and other data types
• Choose the right type code for Python arrays
• Emulate nonstandard types in arrays
• Pass a Python array’s pointer to a C function

Before you dive in, you may want to brush up on your knowledge of manipulating Python sequences like lists and tuples, defining custom classes and data classes, and working with files. Ideally, you should be familiar with bitwise operators and be able to handle binary data in Python.

You can download the complete source code and other resources mentioned in this tutorial by clicking the link below:

Get Your Code: Click here to download the free source code that shows you how to use Python’s array with your numeric data.

Understanding Arrays in Programming

Some developers treat arrays and Python’s lists as synonymous. Others argue that Python doesn’t have traditional arrays, as seen in languages like C, C++, or Java. In this brief section, you’ll try to answer whether Python has arrays.

Arrays in Computer Science

To understand arrays better, it helps to zoom out a bit and look at them through the lens of theory. This will clarify some baseline terminology, including:

• Abstract data types
• Data structures
• Data types

Computer science models collections of data as abstract data types (ADTs) that support certain operations like insertion or deletion of elements. These operations must satisfy additional constraints that describe the abstract data type’s unique behaviors.

The word abstract in this context means these data types leave the implementation details up to you, only defining the expected semantics or the set of available operations that an ADT must support. As a result, you can often represent one abstract data type using a few alternative data structures, which are concrete implementations of the same conceptual approach to organizing data.

Programming languages usually provide a few data structures in the form of built-in data types as a convenience so that you don’t have to implement them yourself. This means you can focus on solving more abstract problems instead of starting from scratch every time. For example, the Python dict data type is a hash table data structure that implements the dictionary abstract data type.

To reiterate the meaning of these terms, abstract data types define the desired semantics, data structures implement them, and data types represent data structures in programming languages as built-in syntactic constructs.

Some of the most common examples of abstract data types include these:

• Dictionaries
• Graphs
• Lists
• Queues
• Sets
• Stacks
• Trees

In some cases, you can build more specific kinds of abstract data types on top of existing ADTs by incorporating additional constraints. For instance, you can build a stack by modifying the queue or the other way around.

As you can see, the list of ADTs doesn’t include arrays. That’s because the array is a specific data structure representing the list abstract data type. The list ADT dictates what operations the array must support and which behaviors it should exhibit. If you’ve worked with the Python list, then you should already have a pretty good idea of what the list in computer science is all about.

Note: Don’t confuse the list abstract data type in computer science with the list data type in Python, which represents the former. Similarly, it’s easy to mistake the theoretical array data structure for a specific array data type, which many programming languages provide as a convenient primitive type built into their syntax.

The list abstract data type is a linear collection of values forming an ordered sequence of elements. These elements follow a specific arrangement, meaning that each element has a position relative to the others, identified by a numeric index that usually starts at zero. The list has a variable but finite length. It may or may not contain values of different types, as well as duplicates.

The interface of the list abstract data type resembles Python’s list, typically including the following operations:

List ADT Python’s list Get an element by an index fruits[0] Set an element at a given index fruits[0] = "banana" Insert an element at a given index fruits.insert(0, "banana") Delete an element by an index fruits.pop(0), del fruits[0] Delete an element by a value fruits.remove("banana") Delete all elements fruits.clear() Find the index of a given element fruits.index("banana") Append an element at the right end fruits.append("banana") Merge with another list fruits.extend(veggies), fruits + veggies Sort elements fruits.sort() Get the number of elements len(fruits) Iterate over the elements iter(fruits) Check if an element is present "banana" in fruits

Now that you understand where the array data structure fits into the bigger picture, it’s time to take a closer look at it.

Read the full article at https://realpython.com/python-array/ »

[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]

As we welcome the dawn of a brand-new year, it's the perfect time to reflect on the past and set our sights on the future. New Year's resolutions offer us the chance to positively change our personal and professional lives. Whether it's adopting healthier habits, pursuing new skills, or fostering stronger connections, the start of the year serves as a powerful catalyst for growth and self-improvement.

In the spirit of resolutions, let's focus on personal goals and consider how we can collectively enhance our contributions to the Drupal community. As advocates for open-source collaboration and innovation, we have the opportunity to amplify the reach of Drupal and strengthen its impact. By fostering a culture of inclusivity and diversity within the Drupal community, we can ensure that our collective efforts lead to more robust, accessible, and user-friendly solutions.

In the coming year, let's commit to bringing Drupal to new heights by actively engaging with and reaching out to a broader audience. Embracing diversity and inclusion within the Drupal community enriches our collaborative environment and opens doors to fresh perspectives and ideas. Let's make 2024 a year of growth, unity, and empowerment for ourselves and the Drupal ecosystem.

We're excited to share some intriguing Drupal-related news from last week! Vimal Joseph, Director of MarTech at Zyxware, conversed with Jonathan Carter, the Debian Project Lead (DPL). This insightful dialogue originated during their in-person meeting at the Global DebConf, the Debian Project's annual developer conference, held in Kochi, Kerala, India. The conversation culminated in an engaging email interview, shedding light on Carter's journey within the Debian ecosystem. To read the complete interview, click here. 

In addition, The DropTimes (TDT) contacted the initiative leads and contributors of Distributions and Recipes. Tim Hestenes Lehnen and Jim Birch generously accepted our request. In an email correspondence with Alka Elizabeth, sub-editor of TDT, they shared valuable insights. Dive into the complete article here.

Delve into my latest articles featuring insights from Coby Sher and Pratik Kamble on the transformative API Client initiative. Coby shares his excitement for the project, emphasizing its efficiency for developers, while Pratik highlights the positive impact of the official JavaScript library on data retrieval. Read the full article here.

Also, experience the festive zeal of Specbee's dynamic team in Elma John's holiday reflection. Discover their celebrations and aspirations for the Drupal community in this heartwarming piece. Don't miss out – read the full article here for festive inspiration and community spirit.

Secure your spot at Drupal Mountain Camp 2024 with Early Bird tickets! Act now, as Early Bird pricing ends on January 20, 2024. Drupal Mountain Camp 2024 is gearing up to host an illustrious keynote speaker—Preston So, a distinguished figure in product, design, engineering, and innovation, and Jutta Horstmann, a passionate advocate for feminist sustainability and a leading voice in free software advocacy, is set to be another keynote speakers at Drupal Mountain Camp. 

Secure your spot at the two-day nerd-delicious NERD Summit 2024. Get your tickets and be part of an empowering event where knowledge and collaboration take center stage. MidCamp, a significant Drupal event, extends its speaker submission deadline to January 7, 2024.  Start the year with the Twin Cities Drupal community at the University of Minnesota's Sprint Day on January 12, 2024!

Discover how the User One Time Login module in Drupal revolutionizes user authentication by enabling secure single sign-on links and unique login access, offering enhanced control and flexibility for site administrators. Read about the View Filter Commerce Promotion module, designed to streamline commerce promotion management within Drupal. Klaus Purer, Ivan Tibezh, Juraj Falat, and Andrii Cheredn have been officially recognized as current security release members of the D7Security initiative to bolster Drupal 7 projects' security.

Learn about the recently introduced Bunny Stream module by Borja Vicente, which seamlessly integrates Drupal Media with Bunny.net’s streaming service, offering enhanced video upload and embedding capabilities for Drupal websites. Explore TokenLink, the recently launched Drupal module revolutionizing token integration. Developed by Cosmos, this module offers enhanced flexibility and promises efficient token management for diverse content needs. Get the complete insight here. Learn about the recently revealed Drupalwned script designed to escalate Cross-Site Scripting vulnerabilities to critical levels within the Drupal CMS. 

Due to the compulsion to limit the selection of stories, we can only share this much for now. Wishing you continued success and inspiration in your Drupal journey!

To get timely updates, follow us on LinkedIn, Twitter and Facebook.

Thank you,

Sincerely

Kazima Abbas
Sub-Editor, TheDropTimes

Talking Drupal #431 - Live at NEDCamp

On today’s show we share interviews we conducted with sponsors, speakers and attendees at New England Drupal Camp in November. Seventeen in all.

For show notes visit: www.talkingDrupal.com/431

Topics

Interviews with:

Michael Miles Nick Silverman Matt O’Bryant Ethan Aho Mike Anello Patrick Anderson Brian Perry Aubrey Sambor Brigitte Ayerves Valderas Chris Wells Richard Hood Chris Amato Ivan Stegic Philip Frilling Rod Martin Jacob Rockowitz Whitney Hess

Hosts

Nic Laflin - nLighteneddevelopment.com nicxvan John Picozzi - epam.com johnpicozzi Martin Anderson-Clutz - mandclu Stephen Cross - StephenCross.com

It can be incredibly easy for a frontend developer to accidentally write a client-side cross-site-scripting (DOM-XSS) security issue, and yet these are hard for security teams to detect. Vulnerability scanners are slow, and suffer from false positives. Can smarter collaboration between development, operations and security teams provide a way to eliminate these problems altogether?

Google claims that Trusted Types has all but eliminated DOM-XSS exploits on those of their sites which have implemented it. Let’s find out how this can work!

DOM-XSS vulnerabilities are easy to write, but hard for security teams to catch

It is very easy to accidentally introduce a client-side XSS problem. As an example of what not to do, suppose you are setting an element’s text to the current URL, on the client side:

// Don't do this para.innerHTML = location.href;

Unfortunately, an attacker can now manipulate the URL (and e.g. send this link in a phishing email), and any HTML tags they add will be interpreted by the user’s browser. This could potentially be used by the attacker to send private data to a different server.

Detecting DOM-XSS using vulnerability scanning tools is challenging - typically this requires crawling each page of the website and attempting to detect problems such as the one above, but there is a significant risk of false positives, especially as the complexity of the logic increases.

There are already ways to avoid these exploits — developers should validate untrusted input before making use of it. There are libraries such as DOMPurify which can help with sanitization.1

However, if you are part of a security team with responsibility for preventing these issues, it can be complex to understand whether you are at risk. Different developer teams may be using different techniques and tools. It may be impossible for you to work closely with every developer — so how can you know that the frontend team have used these libraries correctly?

Trusted Types closes the DevSecOps feedback loop for DOM-XSS, by allowing Ops and Security to verify good Developer practices

Trusted Types enforces sanitization in the browser2, by requiring the web developer to assign a particular kind of JavaScript object rather than a native string to .innerHTML and other dangerous properties. Provided these special types are created in an appropriate way, then they can be trusted not to expose XSS problems.

This approach will work with whichever tools the frontend developers have chosen to use, and detection of issues can be rolled out by infrastructure engineers without requiring frontend code changes.

Content Security Policy allows enforcement of security policies in the browser itself

Because enforcing this safer approach in the browser for all websites would break backwards-compatibility, each website must opt-in through Content Security Policy headers.

Content Security Policy (CSP) is a mechanism that allows web pages to restrict what actions a browser should execute on their page, and a way for the site to receive reports if the policy is violated.

Figure 1: Content-Security-Policy browser communication

This is revolutionary, because it allows servers to receive feedback in real time on errors that may be appearing in the browser’s console.

Trusted Types can be rolled out incrementally, with continuous feedback

Web.dev’s article on Trusted Types explains how to safely roll out the feature using the features of CSP itself:

• Deploy a CSP collector if you haven’t already
• Switch on CSP reports without enforcement (via Content-Security-Policy-Report-Only headers)
• Iteratively review and fix the violations
• Switch to enforcing mode when there are a low enough rate of reports

Static analysis in a continuous integration pipeline is also sensible — you want to prevent regressions shipping in new releases before they trigger a flood of CSP reports. This will also give you a chance of finding any low-traffic vulnerable pages.

Smart security teams will use techniques like Trusted Types to eliminate entire classes of bugs at a time

Rather than playing whack-a-mole with unreliable vulnerability scanning or bug bounties, techniques such as Trusted Types are truly in the spirit of ‘Secure by Design’ — build high quality in from the start of the engineering process, and do this in a way which closes the DevSecOps feedback loop between your Developer, Operations and Security teams.

1. Sanitization libraries are especially needed when the examples become more complex, e.g. if the application must manipulate the input. DOMPurify version 1.0.9 also added Trusted Types support, so can still be used to help developers adopt this feature. ↩︎

2. Trusted Types has existed in Chrome and Edge since 2020, and should soon be coming to Firefox as well. However, it’s not necessary to wait for Firefox or Safari to add support, because the large market share of Chrome and Edge will let you identify and fix your site’s DOM-XSS issues, even if you do not set enforcing mode, and users of all browsers will benefit. Even so, it is great that Mozilla is now on board. ↩︎