Netcraft.com brings my attention to cross-site scripting security problem. I have examined this website for vulnerabilities. This problem is usually caused by systems not checking input received from user or third party before using it. One place this website receives input is the RSS new feeds. I have crafted a test RSS with embedded javascript. Some RSS feeder (including this website) display the content as is. They should have (arguably) strip off the embedded script before displaying it. I promptly plugged this by escaping the meta characters before outputting them on the web pages.

An important element for cross-site scripting is that a third party can use a reputable website as a conduit to inject questionable code in their context. In this case the news feeder's communication is only between this website and the news source. I am not aware of any loop hole for third party to get involved. But in the world of open communication it is better to be safe to test for all input before use.

2004.07.20 [web, security] - comments

I have finally ditched my home grown blog formatter for pyBlosxom, a very simple file based weblog server. It only take me several hours to setup and integrated with my web pages. Customization is fairly easy. I have designed the style to look, well, like the same old home page (pyBlosxom itself does not come with any decent template anyway). So far the only thing new is the calendar on the left. But I plan to add other features in the coming days.

I have downloaded Movable Type for months and never get to set it up. The database and third party library requirement really puts me off. Yet I am able to setup pyBlosxom within hours. I am really please with its light weight design and the text file based repository.

The main motivation for upgrade is the need to add permalink to the entries. I have some successful experimented with pyBlosxom but I still need some more work before publishing them. After all, permalinks means permanent. So I want to get it right.

2004.07.01 [web] - comments