Just Journal Developer Blog

I just published an updated version of just journal. I've been working on it for awhile, but just got an opportunity to finish it.

Changes:

Half the code for tags is now implemented. You can see the tag place holders. I need to add the code to add tags when submitting a blog entry next.

Just Journal now supports RSD (Really Simple Discovery). This should allow some blogging clients to "find" the xml-rpc interfaces (like blogger api) on Just Journal.

The stats on the front page now using fixed floating point numbers so it should be much closer to adding up to 100% for public/private/friends entries. I made use of the String.format method in java.

There are some fixes for Dashboard users. Entries now assume you want comments, and emails on comments for entries.

Some error messages were fixed and I've added more logging on the comment feature to track down some bugs that seem to randomly manifest themselves.

I found a bug in the tags feature. It's listing tags multiple times on the left hand side. (oops) I corrected the SQL query and it will be updated when I role out the trackback software in the next few weeks. (probably much sooner)

 I added the new tags code tonight.  I'm still working on it, but it's significantly more useful.  There are still some performance and usability issues I want to work on.

 I was recently told that in some cases it's possible to hijack a session from any webapp, and that just journal had a problem with this.  I quickly went to work on this problem.  It has caused problems for big sites like MySpace and Facebook.  

What does session hijacking mean to me?

Session hijacking means stealing your login.  While you're logged into the account, someone could read your private blog entries and post entries to your account.  Anything you can do, they can do to.  They don't know your password, and can only do this while you're logged in.

What users can do to protect themselves:

1. Always use the secure login feature.  (SSL)  This will prevent the first type of attack on your account.  
2. Always log out of just journal when you're done.  Don't just leave the site.

Steps we're taking to minimize this attack

1. A review of just journal's code is pending.  
2. We're probably going to limit special characters allowed in titles of blog entries, journal titles, music, tags, etc further.  We may limit what can be pasted into blog entries as well.  The only other attack possible is stealing a session cookie which requires a cross site scripting (XSS) attack.  That means someone put javascript code on the site and used that to steal your session.

The new version of just journal is now live!  It contains some bug fixes, caching improvements (for the client), and users can now cancel their own accounts.

I finally started on version 2.0 of this website.  The new version is going to be a partial rewrite.  It will still be open source and in Java though. I'm working on it via a private git repository right now.  Until I get the structure just right, it's easier than CVS.  

I have several goals in mind:

1. Pictures will be stored on the file system, allowing them to be larger and post processed if needed. 

2. Video storage (although don't expect youtube quality because i just don't know how to do that)

3. Exports.. i've promised this for years, but I want to allow exporting via XML in addition to the RTF and PDF formats now. This also allows users to backup their own blogs.

4. Portability.  Just Journal effectively runs on Tomcat right now with a very specific configuration. I want to get it it usable on other domains, platforms, and maybe even databases.  I like MySQL, but it's future is uncertain with the Oracle acquisition.  

5. Ajax.  I may not go crazy with this, but I've had to learn a lot of AJAX with Dojo for work in the last year and I might as well experiment with it here. 

6. Improved mobile accessibility.