Discuss: Community Creators, Secure Your Code!
by Niklas Bivald
- Editorial Comments
2 He Means…
Be very wary of all the nifty new things Web 2.0 brings us. Seems like an old message, but I suppose we could all use a reminder now and then.
IE(Microsoft Internet Explorer) flops once again. Hopefully Microsoft will do a better job with IE7. :/
posted at 12:54 am on April 18, 2006 by Damien Wilson
4 I recommend taking a look at these
http://iamcal.com/publish/articles/php/processing_html/ http://iamcal.com/publish/articles/php/processing_html_part_2/
posted at 03:37 am on April 18, 2006 by ban jax
5 Examples
Very nice to show the bad code, but somehow the way to protect yourself is always missing in these kind of articles. Regular expressions are not exactly bread & butter for everyone, so if you want to get the world to notice your warning and act on it, some cut and paste examples would be very helpful.
posted at 07:01 am on April 18, 2006 by Martijn ten Napel
6 XSS Cheat Sheet
Worth checking if some of the strings listed on this site slip through your validation routines:
http://ha.ckers.org/xss.html
posted at 07:44 am on April 18, 2006 by Christian Sattel
7 re: Examples
Martin said:
Very nice to show the bad code, but somehow the way to protect yourself is always missing in these kind of articles
But as this was announced as Part One of a two-part series, the comment might be reserved until Part Two has run.
posted at 07:59 am on April 18, 2006 by Jeffrey Zeldman
8 Part two
When will part two be published? In the ALA publication?
Not being well versed on this subject, it sounds like a site is less likely to be susceptible to XSS when one avoids the usage of eval and avoids muddling style, structure and behavior through the use of the style attribute and inline-javascript. Is this the case? I know this is easier said than done.
posted at 10:56 am on April 18, 2006 by Brian LePore
9 Re: Part Two
When will part two be published? In the ALA publication?
Yup! In our very next issue here at ALA, which we’re planning to publish in two weeks.
posted at 11:42 am on April 18, 2006 by Erin Kissane
10 Actual HTML Filtering
It occurs to me if someone just sat down and wrote a stack-based (not regex) parser based closely on a stripped down versions of the HTML, XHTML, XML and CSS specifications, we could have something that would deal quite nicely with attempted XSS attacks. Remember: these are all well documented specifications and the browsers, which trigger these XSS attacks, simply adhere to these specifications.
The ad hoc “tricks” the article prescribes can fall victim to clever attackers. For instance, if you were to use str_replace(‘javascript’, ’’, $html) your script would still be vulnerable to javasjavascriptcript (this is documented in the XSS cheatsheet posted above, excellent reading for anybody interested in HTML validation).
posted at 02:23 pm on April 18, 2006 by Edward Yang
Discussion Closed
New comments are not being accepted, but you are welcome to explore what people said before we closed the door.
1 keep it dry
Or just use something like textile or markdown and move on with your life.
What was that ajax sample showing exactly? Seemed like filler to me.
posted at 12:23 am on April 18, 2006 by Justin Perkins