Comment On Stupid Coding Tricks: XSLT Mandelbrot

OK, I used to despise XSLT. Now I only hate it. That's some pretty neat stuff. Oh, and somebody has slightly too much time to figure this out :-D

Nice. Reminds me of the days we let our 286 PC run all night just to zoom in on some Mandelbrot detail. :)

"Even if it's variables are write-once and cannot vary."

It's pretty much a norm for a purely-functional language, which XSLT is.

Article authors' misunderstanding of this puts not XSLT into shame, but himself

Stupidly Awesome !

The irony here is that the source XML file contains the colour information.

Or, if you are not in the habit of letting total strangers take full control of your browser, it looks like this:

100 -120 120 3.9 -203 100 1.4 28 #500 ░#115 ░#228 ░#22B ░#33D ░#44F ▒#55C ▒#55D ▒#55E ▓#55F ▓#66F ▓#77F ▓#88F █#88F ▓#99F █#99F ▓#AAF █#AAF ▓#BBF █#BBF ▓#CCF █#CCF ▓#DDF █#DDF ▓#EEF █#EEF ▓#FFF █#FFF ░#000

Charming, either way, I'm sure.

But regardless of your opinions on XSLT, I'm certain you'll have a new appreciation after seeing what magic it can work on a boring old piece of XML. Even if it's variables are write-once and cannot vary.

For what its worth, there are lots of functional programming languages which have immutable "variables" (although functional languages use the term "value" instead). Programming without mutable state hardly sounds like programming at all, but once you get the hang of it, you can write terse, mathematically beautiful programs. Every programmer should learn at least one functional programming language, such as Haskell, Lisp, OCaml, F#, or Erlang.

Thats the most retarded looking fish I've ever seen.

Ilyak:

"Even if it's variables are write-once and cannot vary."

It's pretty much a norm for a purely-functional language, which XSLT is.

Article authors' misunderstanding of this puts not XSLT into shame, but himself

Dear lord! Someone else who understands what XSL is!

The number of times that I've tried to explain this to someone, only to be met by a blank stare and a questioning "fun-shu-null . . . ?"

Yeah, XML tales "full control" of your browser. How's that foil hat doing, protecting your brainwaves from *them*, I hope.

It gives different colors in Firefox than in IE8. But it certainly is a stupid tric.

I'll let other work out the issues of purely functional languages. But as for the English language...

wrong: "Even if it is variables are write-once and cannot vary."

right: "Even if its variables are write-once and cannot vary."

Welbog:

The irony here is that the source XML file contains the colour information.

Yep, just what I was thinking. Presentation info should go in the stylesheet.

XSLT is a functional (monadic, I'd say) programming language that takes a XML of some structure and produces another XML.

XSLT functions are called 'templates', and they are either called directly by name, or indirectly by using pattern-matching (feature available in a lot of more high-end functional languages).

XSLT uses award-winning XPath as its expression language, which permits math, string operations (rudimendary, I have to admit) and DOM querying in a very easy and powerful way.

Thus each template operates on one element of input XML, directly, and all of the input DOM tree, via XPath queries.

Each template can output any number of XML subtrees and also call other templates, making the language turing compatible.
There are variables, for-loops, condition statements.
Any questions?

Voodoo Coder:

Thats the most retarded looking fish I've ever seen.

Now have a look at this one:

http://img66.imageshack.us/img66/2443/psychrolutesmicroporoszt2.jpg
http://img473.imageshack.us/img473/307/psychrolutes1tz6rs9.jpg

Andy Gottit:

Or, if you are not in the habit of letting total strangers take full control of your browser, it looks like this:

100 -120 120 3.9 -203 100 1.4 28 #500 ░#115 ░#228 ░#22B ░#33D ░#44F ▒#55C ▒#55D ▒#55E ▓#55F ▓#66F ▓#77F ▓#88F █#88F ▓#99F █#99F ▓#AAF █#AAF ▓#BBF █#BBF ▓#CCF █#CCF ▓#DDF █#DDF ▓#EEF █#EEF ▓#FFF █#FFF ░#000

Charming, either way, I'm sure.

Indeed, I did notice that NoScript lessens its aesthetic appeal...

Funny how, of all the stupid things people could draw with functional programming languages, they all end up drawing the Mandelbrot set. Am I the only one who long ago stopped being impressed by a computer's ability to plot f(z)-->z^2+c?

Croc Dundee:

Yeah, XML tales "full control" of your browser. How's that foil hat doing, protecting your brainwaves from *them*, I hope.

Back in 1998 or 1999, I don't remember which, I demonstrated how to steal real money from folks who would view my web page with scripting enabled. At the time, at least 95% of web sites were vulnerable. It was considered "too hard to fix" and as of today, about 60% of web sites are still unfixed (with ignorant luzers producing more every day). So, of course, I surf with scripting turned off, as I would expect anyone else who knows what's going on would do.

XML or not, with scripting turned off, that's how it looks. What, you think I made that up?

I'm using XSLT right now to translate a source document into... <sigh>... fucking WordML. Kill me now.

Andy Gottit:

Back in 1998 or 1999, I don't remember which, I demonstrated how to steal real money from folks who would view my web page

Sorry my friend but if you don't have a proof of concept you're just talking shit.

Ilyak:

XSLT functions are called 'templates', and they are either called directly by name, or indirectly by using pattern-matching (feature available in a lot of more high-end functional languages).

Any questions?

Yes, two:

1. Why are the default rules contradictory? I.e. why doesn't an empty XSLT program either copy the entire source or throw it all out, rather than copying elements and throwing out attributes?

2. Would it have been possible to come up with a more painful syntax than this, or is this in fact the worst imaginable?

Anonymous:

Andy Gottit:

Back in 1998 or 1999, I don't remember which, I demonstrated how to steal real money from folks who would view my web page

Sorry my friend but if you don't have a proof of concept you're just talking shit.

So what's your theory? Someone went to all the work of making the NoScript browser plugin, which is downloaded by over 600,000 people per week, just so we could all talk shit?

On the first question, duh, don't use an empty stylesheet, there's no much reason for it anyway.

On the second question, what part of XSLT's syntax you dislike? xsl:value-of is too verbose, I have to admit (and I think they're treating it in XSLT2); other than that, any other real problems?
Do you prefer languages that look like XML, but actually aren't, thus getting all cons with no pros, btw?

P.S. Well, I don't understand how people who dislike XSLT for its 'ugliness' can ever touch something so ugly as PHP or C++.

Anonymous:

Andy Gottit:

Back in 1998 or 1999, I don't remember which, I demonstrated how to steal real money from folks who would view my web page

Sorry my friend but if you don't have a proof of concept you're just talking shit.

How about:

<html>
<body>
<script>
document.write("send me some money")
</script>
</body>
<html>

Andy Gottit:

So what's your theory? Someone went to all the work of making the NoScript browser plugin, which is downloaded by over 600,000 people per week, just so we could all talk shit?

You clearly didn't read my original post. I said proof of concept or you're just talking shit. The existence of NoScript is hardly a proof of concept for your 133t hax0ring skillz, is it? So, are you going to put your money where your mouth is? Just a proof of concept, it's hardly difficult assuming you've done what you say you have.

Anonymous:

Andy Gottit:

So what's your theory? Someone went to all the work of making the NoScript browser plugin, which is downloaded by over 600,000 people per week, just so we could all talk shit?

You clearly didn't read my original post. I said proof of concept or you're just talking shit. The existence of NoScript is hardly a proof of concept for your 133t hax0ring skillz, is it? So, are you going to put your money where your mouth is? Just a proof of concept, it's hardly difficult assuming you've done what you say you have.

No, it isn't difficult at all. However, there exist people in law enforcement, judges, and juries who are not shall we say net savvy. Some of them have in the past expressed their opinion that it is a crime for me to teach you how to commit a crime.

If you want to hire me to penetration test your web site, we can talk. Of course you'll have to prove it is really your site. And, you probably can't afford me.

Andy Gottit:

Croc Dundee:

Yeah, XML tales "full control" of your browser. How's that foil hat doing, protecting your brainwaves from *them*, I hope.

Back in 1998 or 1999, I don't remember which, I demonstrated how to steal real money from folks who would view my web page with scripting enabled. At the time, at least 95% of web sites were vulnerable. It was considered "too hard to fix" and as of today, about 60% of web sites are still unfixed (with ignorant luzers producing more every day). So, of course, I surf with scripting turned off, as I would expect anyone else who knows what's going on would do.

XML or not, with scripting turned off, that's how it looks. What, you think I made that up?

since you're such a security genius who found a vulnerability that nobody else on the planet has ever found or written about how about to do the responsible thing and tell us what it is.

Whoevar:

Voodoo Coder:

Thats the most retarded looking fish I've ever seen.

Now have a look at this one:

http://img66.imageshack.us/img66/2443/psychrolutesmicroporoszt2.jpg
http://img473.imageshack.us/img473/307/psychrolutes1tz6rs9.jpg

So...that's what nightmares are made of...now I know.

LOLWUT?

Just because something is XML doesn't mean it's not presentational. What's SVG?

Kazan:

Andy Gottit:

Croc Dundee:

Yeah, XML tales "full control" of your browser. How's that foil hat doing, protecting your brainwaves from *them*, I hope.

Back in 1998 or 1999, I don't remember which, I demonstrated how to steal real money from folks who would view my web page with scripting enabled. At the time, at least 95% of web sites were vulnerable. It was considered "too hard to fix" and as of today, about 60% of web sites are still unfixed (with ignorant luzers producing more every day). So, of course, I surf with scripting turned off, as I would expect anyone else who knows what's going on would do.

XML or not, with scripting turned off, that's how it looks. What, you think I made that up?

since you're such a security genius who found a vulnerability that nobody else on the planet has ever found or written about how about to do the responsible thing and tell us what it is.

I disclosed it responsibly at the time. It is very well known by most everyone in the business, except perhaps you.

That is freaking amazing. I remember running an Apple2e for 3 days to get the equivalent of that.
And using XSLT - which (although I love it) is the most inefficient 'programming language' I've ever encountered.

My current machine now renders the page without a blink. How far we've come.

But the real astounding bit is that the XSL code itself is one of the shortest working XSL files I've seen. All real-world XSL I've touched is much much longer.
o_O

Hans:

Ilyak:

XSLT functions are called 'templates', and they are either called directly by name, or indirectly by using pattern-matching (feature available in a lot of more high-end functional languages).

Any questions?

Yes, two:

1. Why are the default rules contradictory? I.e. why doesn't an empty XSLT program either copy the entire source or throw it all out, rather than copying elements and throwing out attributes?

2. Would it have been possible to come up with a more painful syntax than this, or is this in fact the worst imaginable?

The default template for something basically <xsl:apply-templates/> So, you start at the root and go down the chain basically just applying templates to everything. At the bottom (a node with no children), you basically just get the value of those node (not a copy of the node)

So, an XSLT with no rules in it, SHOULD just spit out all the text nodes of the document, not a copy of any XML.

XSLT is wordy and hard to write. I've seen other attempts at XML-based templating languages and they're all equally ugly. I'd vote for using XSLT for templating or don't use XML for it at all.

This thing crashed IE8 D:

It's been 14 years, genius. It's entirely possible it got lost in the shuffle. Couldn't hurt you to disclose it again, could it?

Either put up or shut up, sez I.

It's called "cross site scripting", and is a well-known problem.

Stealing real money probably involves some sort of driving someone else's browser to use their bank, paypal, ebay, etc. pages.

Andy Gottit:

Kazan:

Andy Gottit:

Croc Dundee:

Yeah, XML tales "full control" of your browser. How's that foil hat doing, protecting your brainwaves from *them*, I hope.

Back in 1998 or 1999, I don't remember which, I demonstrated how to steal real money from folks who would view my web page with scripting enabled. At the time, at least 95% of web sites were vulnerable. It was considered "too hard to fix" and as of today, about 60% of web sites are still unfixed (with ignorant luzers producing more every day). So, of course, I surf with scripting turned off, as I would expect anyone else who knows what's going on would do.

XML or not, with scripting turned off, that's how it looks. What, you think I made that up?

since you're such a security genius who found a vulnerability that nobody else on the planet has ever found or written about how about to do the responsible thing and tell us what it is.

I disclosed it responsibly at the time. It is very well known by most everyone in the business, except perhaps you.

Look, buddy, if you wanted to be taken seriously you wouldn't have started with a comment about how XSLT is going to "take over your computer" and then followed it up by talking about javascript.

Andy Gottit:

I disclosed it responsibly at the time. It is very well known by most everyone in the business, except perhaps you.

Ah yes, the good old "Emperor's new clothes" style argument. If you can't clearly see the truth of my argument, then you must not be cool enough.

If you don't know the secret handshake we use to represent the Vulnerability That Must Not Be Named, then we simply can't discuss it. I'm not really sure how you render a handshake to ASCII anyway. Maybe with XSLT?

Andy Gottit:

Anonymous:

Andy Gottit:

So what's your theory? Someone went to all the work of making the NoScript browser plugin, which is downloaded by over 600,000 people per week, just so we could all talk shit?

You clearly didn't read my original post. I said proof of concept or you're just talking shit. The existence of NoScript is hardly a proof of concept for your 133t hax0ring skillz, is it? So, are you going to put your money where your mouth is? Just a proof of concept, it's hardly difficult assuming you've done what you say you have.

No, it isn't difficult at all. However, there exist people in law enforcement, judges, and juries who are not shall we say net savvy. Some of them have in the past expressed their opinion that it is a crime for me to teach you how to commit a crime.

If you want to hire me to penetration test your web site, we can talk. Of course you'll have to prove it is really your site. And, you probably can't afford me.

Talk is so cheap... So, you're the end all of security experts that apparently no one can afford. Everyone loves the person who talks about how they're such an expert but they only talk in generalities or just try to insult people about how little they know. Where I come from we call someone like you a bullsh@!#ter...

Anonymous:

Andy Gottit:

I disclosed it responsibly at the time. It is very well known by most everyone in the business, except perhaps you.

Ah yes, the good old "Emperor's new clothes" style argument. If you can't clearly see the truth of my argument, then you must not be cool enough.

If you don't know the secret handshake we use to represent the Vulnerability That Must Not Be Named, then we simply can't discuss it. I'm not really sure how you render a handshake to ASCII anyway. Maybe with XSLT?

I can empty your bank account, rape your mother, and kill your dog just by having you open a web site with javascript enabled. Nuff said.

Andy Gottit:

Anonymous:

Andy Gottit:

I disclosed it responsibly at the time. It is very well known by most everyone in the business, except perhaps you.

Ah yes, the good old "Emperor's new clothes" style argument. If you can't clearly see the truth of my argument, then you must not be cool enough.

If you don't know the secret handshake we use to represent the Vulnerability That Must Not Be Named, then we simply can't discuss it. I'm not really sure how you render a handshake to ASCII anyway. Maybe with XSLT?

I can empty your bank account, rape your mother, and kill your dog just by having you open a web site with javascript enabled. Nuff said.

Nuff said indeed. Now we're all concerned for our well being. Good job proving your point to everyone...

Captcha: nulla I'm gonna nulla your bank account, mother, and dog!

Pete:

It's called "cross site scripting", and is a well-known problem.

Stealing real money probably involves some sort of driving someone else's browser to use their bank, paypal, ebay, etc. pages.

if he is indeed running his mouth about XSS then his "nuke all JS" solution is overkill in the extreme.

Andy Gottit:

I can empty your bank account, rape your mother, and kill your dog just by having you open a web site with javascript enabled. Nuff said.

thank you for proving our point for us you ignoramous.

$5 says that if he does indeed have a vulnerability it's ActiveX and only works on IE3 :P

Addendum (2009-04-29 13:59):
s/ignoramous/ignoramus

Wow.... This is the farthest I've seen a troll get in a long time on TDWTF.

Andy Gottit:

I can empty your bank account, rape your mother, and kill your dog just by having you open a web site with javascript enabled. Nuff said.

OMG!!1!!one!! yer scaree!

plz send me teh codez plz??!?

I'm afraid you've all been had. Could be TopCod3r, although it's not really his style. However, the way I read the original post, he as good as winked at the reader knowingly with:

Andy Gottit:

What, you think I made that up?

Andy Gottit:

I can empty your bank account, rape your mother, and kill your dog just by having you open a web site with javascript enabled. Nuff said.

Finally!!! Something useful on the internet after all this time. plz snd m3 teh c0d3z 2.

Anonymous:

Funny how, of all the stupid things people could draw with functional programming languages, they all end up drawing the Mandelbrot set. Am I the only one who long ago stopped being impressed by a computer's ability to plot f(z)-->z^2+c?

all XML chatter aside, it's actually the ability to analyze if the iteration on z with, in the first iteration, z=0 is bounded for some c (which is the starting position on the complex plane). It is not a trivial problem to analyze this efficiently.

I rather like XSLT...
I just don't like actually writing it. :|

TRWTF is Andy Gottit

OK I admit it, I thought mandlebrot was a pie, and XSL was going to steal my pie, so I made up lies about XSL to discredit it. Swiftly moving on to talk about javascript just covered my tracks.

I am sorry for my deception, but even more sorry that I never got my mandlebrot pie.