In this article I will describe how to prevent Saxon from parsing external entities to avoid XXE attacks. Basically you should be very careful when parsing XML files from untrusted sources. Otherwise this can lead to serious security issues.

This post describes how to fix the PrimeFaces Expression Language Remote Code Execution bug (CVE-2017-1000486) when an update to the latest / fixed PrimeFaces version is not easily possible. This solution also needs no patching of the PrimeFaces library itself. The preferred / advised solution for fixing the issue is of course to do the update. The bug was already fixed over a year ago. However, only recently (beginning of 2018), more details and public exploits for this vulnerability have been published. See: https://www.primefaces.org/primefaces-el-injection-update/ In one of our projects we build a set of own components with custom design based on Primefaces.…

This article describes how a typical browser file download can be triggered using the Angular HttpClient. Typically you can simply introduce a link to the endpoint of the file download into the page and this will work just fine. However, if you use authentication via bearer token etc. and the download endpoint needs authentication, you probably want to use the HttpClient in order to make that download request.

In this article I will describe how to add a Http Authentication Bearer token to each request done from Angular via HttpClient by implementing a Angular 5 HttpInterceptor. This way the bearer token has not be added to each request separately while doing Ajax request e.g. to a REST api. This is for example useful, if you have some api that is protected by OAuth and you have to sent a JWT token in order to get access.

Form validation in Aurelia is actually pretty nice. You can configure the validation rules in a chainable api and add multiple rules to single fields. However there is a problem if you want to trigger the validation of an input when another input is filled. A good example are two inputs (a start value and an end value). Of course you want to validate that the start-value is less than the end-value. But if you add the rule to both fields only the edited field will show (and reset) the error message. Ok… This explaination might be a bit confusing… Let’s…

Since the release of the newest Debian version 9 (Codename “Stretch”) in June 2017, most system administrators using this distribution will upgrade their systems eventually. One of the changes in the new version that first caught my eye, is that you can’t configure the system’s time zone in the way that most Debian tutorials suggest. While you might consider this to be a minor issue, I believe that a wrongly configured time zone will lead to confusion in log files and web applications.