tungwaiyip.info

home

about me

links

Blog

< July 2004 >
SuMoTuWeThFrSa
     1 2 3
4 5 6 7 8 910
11121314151617
18192021222324
25262728293031

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

Checking for Cross-Site Scripting Vulnerability

Netcraft.com brings my attention to cross-site scripting security problem. I have examined this website for vulnerabilities. This problem is usually caused by systems not checking input received from user or third party before using it. One place this website receives input is the RSS new feeds. I have crafted a test RSS with embedded javascript. Some RSS feeder (including this website) display the content as is. They should have (arguably) strip off the embedded script before displaying it. I promptly plugged this by escaping the meta characters before outputting them on the web pages.

An important element for cross-site scripting is that a third party can use a reputable website as a conduit to inject questionable code in their context. In this case the news feeder's communication is only between this website and the news source. I am not aware of any loop hole for third party to get involved. But in the world of open communication it is better to be safe to test for all input before use.

2004.07.20 [, ] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Impeachment inquiry: Trump 'promoted discredited Ukraine theory' (21 Nov 2019)

 

This week's impeachment news in three minutes (22 Nov 2019)

 

Benjamin Netanyahu: Israel PM charged with corruption (21 Nov 2019)

 

Russians under threat over video about gay man (22 Nov 2019)

 

Dutch police podcast unearths clues to decades-old murder (22 Nov 2019)

 

Tuvalu: Pacific nation turns down Chinese islands and backs Taiwan (21 Nov 2019)

 

Grace Millane trial jury retires to consider verdict (22 Nov 2019)

 

Outrage in Pakistan after feminism panel includes no women (22 Nov 2019)

 

Prince Andrew seen for first time since stepping back from royal duties (21 Nov 2019)

 

Motorcycle taxi drivers storm Indonesia hospital to get baby's body (22 Nov 2019)

more »

 

SF Gate

 

Ship traffic, November 22 (21 Nov 2019)

 

Disney says Disney Plus subscriber data gained by past hacks elsewhere (21 Nov 2019)

 

Google hires consulting firm known for anti-union tactics (21 Nov 2019)

 

Car makers show off new electric models at LA Auto Show (21 Nov 2019)

 

Ship traffic, November 21 (20 Nov 2019)

 

Uber’s ineffective safety culture cited in 2018 fatal crash (20 Nov 2019)

more »


Site feed Updated: 2019-Nov-21 18:00