Salvatore Gionfriddo

the maddening

I awoke to a faint buzz. The toaster oven was acting up again. The light vibration of the refrigerator's freon coils worked their way through the counter over to the toaster oven and its tray shook lightly. I gagged as I took in that first wakeful breath. The half-eaten can of sardines sitting on the bottom of the trash can was growing ripe. I wondered why my mind hadn't blocked out the smell by now. I wished I would suffer sudden onset anosmia.

penumbear release

After seven months of work Penumbear was finally revealed to the world. I am pleased with the reception it has received in the gaming press. Penumbear currently has a metatric score of 85 which puts it the "Generally Favorable Reviews" category, but short of "Universal Acclaim". I guess it's time to make another game.

chapter n

It has been official for awhile. Late in 2011 I decided to leave my position at Raditaz and start working on something I can call my very own. It was a tough decision to move on from a product that I envisioned, planned, and worked on for so long, but ultimately I need to make an attempt at building something that I have ownership of.


I will post updates here as I start to publish some of the projects I have been working on.

samy ii averted

In early September I was working on a Bebo application for a client. A team member came over to my desk for some help on a small problem he was having. He was in charge of completing the messaging and notification features on the site. Specifically he was working on getting the 'Ch-ch-changes' API calls to work. This is a section of the site that any of your friends can view. Any messages posted to your 'Ch-ch-changes' may also appear on your friends area of the same name.


He had run into a problem posting the exact text the specification called for. He needed different parts of the message to be on different lines. He tried feeding in <br /> tags, but they were stripped out automatically.


We sat down at the test console and started trying to get around the issue. The result can be seen below...


https://gist.github.com/14794


The danger here is that arbitrary javascript could be executed on a user's profile. An exploit like this could spread a payload at an exponential rate.


After some deliberation I decided to report the issue directly to Bebo's development team. A day later I received a response from Steve Cohen the Head of Platform at Bebo:


We've received your notice, have duplicated the issue and are investigating the cause. Thank you so much for bringing this to our attention.


A follow up arrived the day after:


Interesting problem. The changes feed doesn't allow the <b> tag (and several others), and because of this, it effectively disappeared leaving you with fully functional script tags.


I put a fix in tonight, and it will be released tomorrow --instead of just omitting the tags, I open and then immediately close a b tag. so, the transformed tags look like this:


<b></b>script>alert('this site is broken');<<b></b>/script>


Again, thank you for bringing this to our attention --it was an extremely subtle bug. Thankfully, it wasn't in the parse stage.


The feature was offline for about a day and then a fix was put in. The final resolution was slightly different than what Steve suggested. They still strip the tags, but now they escape the > and <.

not quite irony

After slamming social networking sites I landed a consulting gig where I ended up working on apps for Facebook, Myspace, Bebo, & Hi5. I now know more about developing for multiple social networking sites than I ever wanted to. It was a good learning experience as I worked on apps with over a million users. Scaling is one of those things that you can read about for ages, but not truly appreciate until it hits you over the head.

sky diving

Saturday I jumped out of a perfectly good airplane at Ellington Airport. It was a great experience and I would definitely considering doing it again, maybe solo next time.