Monday, April 3, 2017

How Do You Keep Your JavaScript Dependencies Up-to-date?

This is the editorial from our latest JavaScript newsletter, you can subscribe here.

Skull of death

Recently, security researchers analyzed 133,000 websites for outdated JavaScript libraries. Their findings, presented in a whitepaper, Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web, do not make for happy reading. Of the websites analyzed, 37% loaded insecure JavaScript, either directly or via a third-party service, such as advertisers.

This made me sit up and take notice. The libraries these researchers were checking for were 72 of the most popular open-source projects out there — libraries like Angular and jQuery that we all use every day. I'd never really stopped to think whether an outdated version of jQuery could present a serious security threat. And I had (almost) certainly never gone back to update an old version of jQuery on a website I had made. Was this something I should have been doing?

My Career as a L33t H4x0r

So, now I was curious and decided to see if I could use an outdated version of jQuery to hack one of my own pages. I started off searching for "jQuery security vulnerabilities" and pretty soon stumbled across this issue on jQuery's GitHub repo. People were pointing to this as a potential cross-site scripting vulnerability which meant that an attacker could execute arbitrary code at the request's origin. That sounded promising ...

The issue was easy enough to reproduce — the problem was that jQuery was executing every text/javascript response it received when performing a $.get() request — but that was as far as my excitement went. As one of the jQuery maintainers pointed out in the thread, this "exploit" was similar to including third party code via <script> tags. This wasn't likely to bring my website to its knees and was hardly the stuff hacking movies are made of.

Take 2: A Bit of Session Hijacking

Not wanting to be deterred, I imagined what I would do if the exploit had worked and I could execute arbitrary code on a user's computer. One thing we are often warned against is session hijacking where a malicious script can manipulate a user’s cookies to gain unauthorized access to information or services they are logged into. I thought I'd try my hand at that.

Continue reading %How Do You Keep Your JavaScript Dependencies Up-to-date?%


by James Hibbard via SitePoint

Lemonly Annual Report 2016

Lemonly Annual Report 2016

Fun long-scrolling One Pager reporting the awesome 2016 had at Lemonly. Cheers for the build notes!

by Rob Hope via One Page Love

Uploading With Rails and Carrierwave

This is another article in the "Uploading with Rails" series. Today we are going to meet Carrierwave—one of the most popular file uploading solutions for Rails. I like Carrierwave because it is easy to get started, it has lots of features out of the box, and it provides dozens of "how to" articles written by the members of the community, so you won't get lost.

In this article, you will learn how to:

  • Integrate Carrierwave into your Rails app
  • Add validations
  • Persist files across requests
  • Remove files
  • Generate thumbnails
  • Upload files from remote locations
  • Introduce multiple file uploads
  • Add support for cloud storage

The source code for this article is available on GitHub. Enjoy reading!

Laying the Foundations

As always, start by creating a new Rails application:

For this demo I'll be using Rails 5.0.2. Please note that Carrierwave 1 supports only Rails 4+ and Ruby 2. If you are still riding on Rails 3, then hook up Carrierwave version 0.11.

To see Carrierwave in action, we are going to create a very simple blogging application with a sole Post model. It will have the following main attributes:

  • title (string)
  • body (text)
  • image (string)—this field is going to contain an image (a file's name, to be precise) attached to the post

Generate and apply a new migration:

Set up some routes:

config/routes.rb

Also, create a very basic controller:

posts_controller.rb

Now let's craft the index view:

views/posts/index.html.erb

And the corresponding partial:

views/posts/_post.html.erb

Here I am using the Rails truncate method to display only the first 150 symbols from the post. Before we create other views and a form partial, let's firstly integrate Carrierwave into the application.

Integrating Carrierwave

Drop in a new gem into the Gemfile:

Gemfile

Run:

Carrierwave stores its configuration inside uploaders that are included into your models. To generate an uploader, use the following command:

Now, inside app/uploaders, you will find a new file called image_uploader.rb. Note that it has some useful comments and examples, so you may use it to get started. In this demo we will use ActiveRecord, but Carrierwave also has support for Mongoid, Sequel, and DataMapper.

Next, we need to include or mount this uploader into the model:

models/post.rb

The uploader already has sane default settings, but at the very least we need to choose where the uploaded files will be stored. For now, let's employ file storage:

uploaders/image_uploader.rb

By default, files will be placed inside the public/uploads directory, so it is best to exclude it from the version control system:

.gitignore

You may also modify the store_dir method inside your uploader to choose some other location.

At this point, we can create a new view and a form partial to start uploading files:

views/posts/new.html.erb

views/posts/_form.html.erb

Note that the PostsController does not need to be modified as we already permitted the image attribute.

Lastly, create the edit view:

views/posts/edit.html.erb

That's it! You may boot the server and try to create a post with an image. The problem is that this image is not visible anywhere, so let's proceed to the next section and add a show page!

Displaying Images

So, the only view we have not created yet is show. Add it now:

views/posts/show.html.erb

As you can see, displaying an attachment is really easy: all you need to do is say @post.image.url to grab an image's URL. To get a path to the file, use the current_path method. Note that Carrierwave also provides an image? method for us to check whether an attachment is present at all (the image method itself will never return nil, even if the file is not present).

Now, after navigating to a post, you should see an image, but it might appear too big: after all, we are not restricting dimensions anywhere. Of course, we could have scaled the image down with some CSS rules, but it is much better to generate a thumbnail after the file has been uploaded. This, however, requires some additional steps.

Generating Thumbnails

In order to crop and scale images, we need a separate tool. Out of the box Carrierwave has support for RMagick and MiniMagick gems that, in turn, are used to manipulate images with the help of ImageMagick. ImageMagick is an open-source solution allowing you to edit existing images and generate new ones, so before proceeding you need to download and install it. Next, you are free to pick either of the two gems. I'll stick with MiniMagick, because it is much easier to install and it has better support: 

Gemfile

Run:

Then include MiniMagick into your uploader:

uploaders/image_uploader.rb

Now we simply need to introduce a new version to our uploader. The concept of versions (or styles) is used in many file uploading libraries; it simply means that additional files based on the original attachment will be created with, for example, different dimensions or formats. Introduce a new version called thumb:

uploaders/image_uploader.rb

You may have as many versions as you like and, what's more, versions can even be built on top of other ones:

uploaders/image_uploader.rb

If you have already uploaded some images, they won't have thumbnails available. This is not a problem, though, as you can re-create them from the Rails console:

Lastly, display your thumbnail with a link to the original image:

views/posts/show.html.erb

Boot the server and observe the result!

Adding Validations

Currently our uploading works, but we're not validating user input at all, which is, of course, bad. As long as we want to work only with images, let's whitelist .png, .jpg and .gif extensions:

uploaders/image_uploader.rb

You may also add content type checks by defining a content_type_whitelist method:

uploaders/image_uploader.rb

Alternatively, it is possible to blacklist some file types, for example executables, by defining the content_type_blacklist method.

Apart from checking a file's type and extension, let's enforce it to be less than 1 megabyte. To do it, we'll require an additional gem supporting file validations for ActiveModel:

Gemfile

Install it:

Now introduce the desired validations (note that I am also adding checks for the title and body attributes):

models/post.rb

The next thing to do is to add I18n translations for Carrierwave's error messages:

config/locales/en.yml

Currently, we do not display validation errors anywhere, so let's create a shared partial:

views/shared/_errors.html.erb

Employ this partial inside the form:

views/posts/_form.html.erb

Now try to upload some invalid files and observe the result. It should work, but if you choose a valid file and do not fill in the title or body, then the checks will still fail and an error will be displayed. However, the file field will be cleared out and the user will need to choose the image again, which is not very convenient. To fix it, we need to add another field to the form.

Persisting Files Across Requests

Persisting files across form redisplays is actually quite easy. All you need to do is add a new hidden field and permit it inside the controller:

views/shared/_form.html.erb

posts_controller.rb

Now the image_cache will be populated automatically and the image won't be lost. It may be helpful to display a thumbnail as well so that user understands the image was processed successfully: 

views/shared/_form.html.erb

Removing Images

Another very common feature is the ability to remove attached files when editing a record. With Carrierwave, implementing this feature is not a problem. Add a new checkbox to the form:

views/shared/_form.html.erb

And permit the remove_image attribute:

posts_controller.rb

That's it! To remove an image manually, use the remove_image! method:

Uploading From a Remote Location

Carrierwave also provides a very cool feature out of the box: the ability to upload files from remote locations by their URL. Let's introduce this ability now by adding a new field and permitting the corresponding attribute: 

views/shared/_form.html.erb

posts_controller.rb

How cool is that? You don't need to make any changes at all, and you can test this feature right away!

Working With Multiple Uploads

Suppose we want our post to have multiple attachments available. With the current setup it is not possible, but luckily, Carrierwave supports such a scenario as well. To implement this feature, you need to add either a serialized field (for SQLite) or a JSON field (for Postgres or MySQL). I prefer the latter option, so let's switch to a new database adapter now. Remove the sqlite3 gem from the Gemfile and add pg instead:

Gemfile

Install it:

Modify the database configuration like this:

config/database.yml

Create the corresponding Postgres database, and then generate and apply the migration:

If you prefer to stick with SQLite, follow the instructions listed in Carrierwave's documentation.

Now mount the uploaders (note the plural form!):

model/post.rb

I am using the same uploader for attachments, but of course you can generate a new one with a different configuration.

Add the multiple file field to your form:

views/shared/_form.html.erb

As long as the attachments field is going to contain an array, it should be permitted in the following way:

posts_controller.rb

Lastly, you may iterate over the post's attachments and display them as usual:

views/shared/show.html.erb

Note that each attachment is going to have a thumbnail as configured in our ImageUploader. Nice!

Using Cloud Storage

Sticking with file storage is not always convenient and/or possible as, for example, on Heroku it is not possible to store custom files. Therefore you might ask how to marry Carrierwave with Amazon S3 cloud storage? Well, that's a pretty easy task as well. Carrierwave depends on the fog-aws gem to implement this feature:

Gemfile

Install it:

Let's create an initializer for Carrierwave and configure the cloud storage globally:

config/initializers/carrierwave.rb

There are some other options available, which can be found in the documentation.

I am using the dotenv-rails gem to set the environment variables in a secure way, but you may choose any other option. However, make sure that your S3 key pair is not available publicly, because otherwise anyone can upload anything to your bucket!

Next, replace the storage :file line with:

uploaders/image_uploader.rb

Apart from S3, Carrierwave supports uploads to Google Storage and Rackspace. These services are easy to set up as well.

Conclusion

This is it for today! We have covered all the major features of Carrierwave, and now you can start using it in your projects. It has some additional options available, so do browse the documentation.

If you are stuck, don't hesitate to post your questions. Also, it might be useful to take a peek into Carrierwave's wiki, which hosts useful "how to" articles answering many common questions.

So I thank you for staying with me, and happy coding!


by Ilya Bodrov via Envato Tuts+ Code

Reykjavik Fashion Festival

Fashion Festival taking place in Reykjavik highlighting the conscious and sustainable future of the fashion industry
by via Awwwards - Sites of the day

How to Use Facebook Stories for Marketing

Is video part of your marketing strategy? Are you wondering how Facebook’s short-form video format could help your business? Facebook Stories brings a new video format to Facebook that closely resembles Instagram Stories. In this article, you’ll discover what you need to know to succeed with Facebook Stories. About Facebook Stories If you’ve not used [...]

This post How to Use Facebook Stories for Marketing first appeared on .
- Your Guide to the Social Media Jungle


by Julia Bramble via

Sunday, April 2, 2017

Two Powerful Techniques To Improve Your Website Conversion

Are you facing the low conversion from your website despite of investing a lot of resources into website making and digital marketing? This article will help you improve your website conversion. There is no one conversion improvement technique that suites all websites. A technique may vary based...

[ This is a content summary only. Visit our website http://ift.tt/1b4YgHQ for full links, other content, and more! ]

by Guest Author via Digital Information World

Highlights From our UXperts on Managing Stakeholders

During March, we were lucky to host Susan Weinschenk and Andy Vitale in our Ask the UXperts Slack channel.

In keeping with the theme of stakeholder management, each offered their views on how UXers can navigate the challenges of working with different parts of organisations. While we always publish full transcripts of these sessions, in this post we’ve pulled out a few key insights from each chat. 

Andy Vitale: Designing a Culture of Experience

Andy VitaleAndy kicked off the month talking about Designing a Culture of Experience. He won the hearts of the entire room when he put this question to us: Does it seem like the UX team is the only advocate for the user, and the business thinks that they can still just put out a product and people will just use/buy it?.

Here are a couple of our highlights from Andy’s chat.

On where UX fits within an organisation

Empathise with others who work with design. Although the business may not understand design decisions, designers don’t always take the time to understand the business constraints and strategies before starting to problem solve. Try to understand how design goals can better integrate with marketing, technical, lab, business goals.

Although UX design is key to both strategy and success, we have to realise that we are not the sole provider of either of those

Here’s something to really understand. UX is not the centre of the corporate universe.

As we start to define our ideal state, share your strategies with other members of your organisation to gain diverse perspectives from cross-functional colleagues. Embracing transparency and inclusion will strengthen your strategy and help deliver a stronger, more aligned vision.

Create a need that focuses more on solving user problems and improving outcomes rather than providing features.

UX isn’t done in a vacuum. You have to have access to people of all skill sets (developers, SME’s, marketers, scientists, etc.). You will be spending a lot of time together solving problems and sharing insights. Build trust with your colleagues and inspire them to focus on providing the optimal experience for your users.

But at some point, people get tired of hearing designers talk about design.

Leave the UX/design lingo behind – clearly communicate solutions to the rest of the team in words they understand. The business mgr is worried about profits, the marketing mgr about brand and experience – we can’t confuse them with design speak.

There is a trick to influencing those around you to think like you do.

It’s called DOING THE WORK.

You have to do the work. Getting a jump start on the work and showing progress can influence so many conversations as well as clearly communicate what is still unknown. By driving with design you are demonstrating accountability and this is a great example to set when trying to influence culture.

Things like improving ease of use and reducing errors should be a given. That’s what they hired us to do. When we do that, it’s nothing they didn’t expect.

So here’s where we start to move the needle

In the beginning, you have to work on projects where you bring the most value. You can’t work on every project or create solutions that are everything to everyone. Understand where you can make an impact and start there.

On building your UX team’s profile 

Designers are natural storytellers, whether with words or designs. Offer to help stakeholders visualise some of their objectives – this is a great way to gain their trust and build a relationship with them. Before you know it they will be sharing your story, which you influenced, at all of their meetings. Word of mouth is a powerful thing.

You put in a lot of effort and the project was successful. Invite others to celebrate with you – everybody loves a winner. Share your case study with as many people as possible – your wins will work their way up the ladder. Let executives communicate your wins, people will line up to work with you.

Read the full transcript

Susan Weinschenk: What Stakeholders Need to Know About Psychology

In an informative session, Susan talked all things stakeholders and psychology, covering everything from project ownership to handling gender bias, and some great resources were shared.

We’ve pulled out a few of the most insightful questions and answers from Susan’s chat.

Question: How do you best manage stakeholders so that they don’t ‘lord over’ new features?

Susan: “Lord over” meaning instead of relying on research, a stakeholder tells the product team what to build and when. Yes, that happens a lot – that a stakeholder wants to do things a certain way.

But we have to understand that only a fraction of what we suggest is implemented. It can be frustrating, but I think we need to change our definition of what “successful” means.

Ask yourself, “is anything about this product better for my having been involved?” and if the answer is yes, then you’ve been successful.

Having said that, the other tack is that data always helps. You have to take it out of me vs. you and put it on to “the data from our users shows that…”

Question: Assuming they [the stakeholder] make a bad call and the users respond with attrition, how would you approach the stakeholder to rectify the situation?

Susan: I think sometimes UX people feel guilty when things don’t go well. That’s why it’s important to be very clear from the start that the buck stops with the stakeholder: they are accountable. You are working together with them. You are an advisor. If things don’t go well, you are right there willing to help, but it’s not all your fault. They make decisions too.

While it’s easy to become the scapegoat. if you are clear from the beginning on what your role is, then you can remind them of that later too.

Question: So what is the most important thing stakeholders need to know about psychology?

Susan: I think they need to know that users are focused on their tasks, may not like change, can’t see the colour blue as well as others, and may have very specific needs. Some examples are:

The difference between performance and preference. Users typically say they want to see all their choices at once, but research shows if you show too many choices then people don’t choose at all.

Or research shows that people read faster with a longer line length, but they prefer a shorter line length. So what’s more important: that they read faster or that they read at all?

That if people are stressed they may not notice things on a screen that are perfectly noticeable to the rest of us because when we are designing it we aren’t under the same type of stress.

That 10% of men are colorblind and can’t distinguish between some colours.

Things that make a design difficult for people with impairments such as vision or hearing.

Fewer words is always better! And clearly understood words!

Read the full transcript

Didn’t make it to any of our March Ask the UXperts sessions? Make sure you join our community to get updates on upcoming sessions.

See what else we talked about in March – catch up on all our stakeholder management posts:

The post Highlights From our UXperts on Managing Stakeholders appeared first on UX Mastery.


by UX Mastery Team via UX Mastery