tungwaiyip.info

home

about me

links

Blog

< July 2004 >
SuMoTuWeThFrSa
     1 2 3
4 5 6 7 8 910
11121314151617
18192021222324
25262728293031

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

Checking for Cross-Site Scripting Vulnerability

Netcraft.com brings my attention to cross-site scripting security problem. I have examined this website for vulnerabilities. This problem is usually caused by systems not checking input received from user or third party before using it. One place this website receives input is the RSS new feeds. I have crafted a test RSS with embedded javascript. Some RSS feeder (including this website) display the content as is. They should have (arguably) strip off the embedded script before displaying it. I promptly plugged this by escaping the meta characters before outputting them on the web pages.

An important element for cross-site scripting is that a third party can use a reputable website as a conduit to inject questionable code in their context. In this case the news feeder's communication is only between this website and the news source. I am not aware of any loop hole for third party to get involved. But in the world of open communication it is better to be safe to test for all input before use.

2004.07.20 [, ] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Juan Guaidó: US backs opposition leader as Venezuela president (24 Jan 2019)

 

Thousands gather for rally against Venezuela's Maduro (23 Jan 2019)

 

US shutdown: Trump delays State of the Union address (24 Jan 2019)

 

Speedboat killer Jack Shepherd hands himself in to police (23 Jan 2019)

 

Trump team accused of posting edited images on social media (23 Jan 2019)

 

Five people dead in SunTrust Bank shooting in Florida (24 Jan 2019)

 

Nurse arrested over US care home patient pregnancy (23 Jan 2019)

 

Christine Welch: How this American's Chinese song went viral in China (24 Jan 2019)

 

Malaysia set to elect new king after unprecedented abdication (24 Jan 2019)

 

Detained US-born Iranian reporter released from US custody (24 Jan 2019)

more »

 

SF Gate

 

Ship traffic, January 24 (23 Jan 2019)

 

Viacom buys PlutoTV streaming service (23 Jan 2019)

 

EU fines Mastercard million over fees merchants forced to pay (22 Jan 2019)

 

At Davos, Brazilian leader pledges to work ‘in harmony with world’ on climate (22 Jan 2019)

 

Ship traffic, January 23 (22 Jan 2019)

 

'I'm so fed up': With shoplifting all too frequent in Hayes Valley, some merchants are at wits' end (22 Jan 2019)

more »


Site feed Updated: 2019-Jan-23 21:00