On the Ibuildings techPortal, there's a new tutorial posted from Barney Hanlon looking at a new method that developers can use in their applications to give MVC apps a better way to handle their presentation logic - ViewModel.

This provides MVC applications a natural location for presentation logic and lazy functionality while maintaining the segregation between the layers of responsibility within the code. It allows designers access to data and methods they need, while hiding aspects that aren't needed at view level. [...] Indeed, pretty much any modern Web framework has an understanding of the important segregation of duties inherent within MVC. It is precisely this segregation that leads to a certain greyness around the all-important View, particularly on sites where multiple content items are displayed in different ways.

The tutorial he includes shows how to set up a site with multiple articles per page that can be shown as either headlines or just title text. He talks about three ways to accomplish this - the usual injection of all data into the view and having it handle it there, injecting a model directly and extracting data from it and the ViewModel approach (a combination of the Decorator and Adapter design patterns).

Gareth Heyes has a new post today talking about one of the vulnerable values in the $_SERVER superglobal - PHP_SELF.

I thought it might be a good idea to gather a few test cases demonstrating the problem. Why PHP allows these URL's is beyond me and it wouldn't take much work to filter out these malicious URL's in the PHP code.

He provides four test cases to show how simple it is to abuse - one using a HTTP header, another pushing XSS through, the third mentions search pages and the fourth a direct code injection.

You can download the code here.