tungwaiyip.info

home

about me

links

Blog

< July 2004 >
SuMoTuWeThFrSa
     1 2 3
4 5 6 7 8 910
11121314151617
18192021222324
25262728293031

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

Checking for Cross-Site Scripting Vulnerability

Netcraft.com brings my attention to cross-site scripting security problem. I have examined this website for vulnerabilities. This problem is usually caused by systems not checking input received from user or third party before using it. One place this website receives input is the RSS new feeds. I have crafted a test RSS with embedded javascript. Some RSS feeder (including this website) display the content as is. They should have (arguably) strip off the embedded script before displaying it. I promptly plugged this by escaping the meta characters before outputting them on the web pages.

An important element for cross-site scripting is that a third party can use a reputable website as a conduit to inject questionable code in their context. In this case the news feeder's communication is only between this website and the news source. I am not aware of any loop hole for third party to get involved. But in the world of open communication it is better to be safe to test for all input before use.

2004.07.20 [, ] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Saudi Arabia vows to respond to oil attacks with 'necessary measures' (21 Sep 2019)

 

Saudi Arabia oil attacks: A look at the damage (21 Sep 2019)

 

Battle of Arnhem: Mass parachute drop marks WW2 assault (21 Sep 2019)

 

Emmy Awards 2019: Countdown to ceremony begins (21 Sep 2019)

 

Meteor lights up parts of Australian sky (21 Sep 2019)

 

Man drowns during underwater marriage proposal (21 Sep 2019)

 

Taylor Swift cancels concert amid animal rights criticism (21 Sep 2019)

 

Iranian hostage freed by Somali pirates after four years (21 Sep 2019)

 

Jennifer Lopez revives dress behind the invention of Google Images (21 Sep 2019)

 

Paris climate march halted amid clashes between activists and police (21 Sep 2019)

more »

 

SF Gate

 

Buick name erased from Buicks (21 Sep 2019)

 

How to navigate iPhone’s new privacy features (21 Sep 2019)

 

Facebook suspends thousands of apps over privacy concerns (20 Sep 2019)

 

Huawei emerges as stronger tech competitor (20 Sep 2019)

 

GM strike starts to pinch suppliers, Canada plants (20 Sep 2019)

 

Ship traffic, September 23 (20 Sep 2019)

more »


Site feed Updated: 2019-Sep-21 18:00