about me



< July 2004 >
     1 2 3
4 5 6 7 8 910

past articles »

Click for San Francisco, California Forecast

San Francisco, USA


Checking for Cross-Site Scripting Vulnerability

Netcraft.com brings my attention to cross-site scripting security problem. I have examined this website for vulnerabilities. This problem is usually caused by systems not checking input received from user or third party before using it. One place this website receives input is the RSS new feeds. I have crafted a test RSS with embedded javascript. Some RSS feeder (including this website) display the content as is. They should have (arguably) strip off the embedded script before displaying it. I promptly plugged this by escaping the meta characters before outputting them on the web pages.

An important element for cross-site scripting is that a third party can use a reputable website as a conduit to inject questionable code in their context. In this case the news feeder's communication is only between this website and the news source. I am not aware of any loop hole for third party to get involved. But in the world of open communication it is better to be safe to test for all input before use.

2004.07.20 [, ] - comments



blog comments powered by Disqus

past articles »


BBC News


Trump replaces National Security Adviser HR McMaster with John Bolton (23 Mar 2018)


Trump's cabinet: who's next in firing line? (23 Mar 2018)


'Highly likely' Russia behind attack - EU leaders (22 Mar 2018)


Pacific garbage patch 'growing rapidly' (22 Mar 2018)


Toys R Us founder Charles Lazarus dies at 94 as his company folds (22 Mar 2018)


Origin of 'six-inch mummy' confirmed (22 Mar 2018)


Syria war: Eastern Ghouta rebels announce ceasefire (22 Mar 2018)


Trump announces tariffs on in Chinese imports (22 Mar 2018)


Sex doll 'brothel': Xdolls escapes Paris council censure (22 Mar 2018)


Facebook data: What the social media giant knows about you (22 Mar 2018)

more »


SF Gate


Bay Area News (7 Jan 2012)


City Insider (11 Feb 2012)


Crime Scene (13 Feb 2012)


C.W Newius Column (10 Jan 2012)


C.W. Nevius Blog (11 Feb 2012)


Education News (10 Jan 2012)


KALW (11 Feb 2012)


Matier and Ross Blog (11 Feb 2012)


March for Our Lives gets a Lyft; can you name a woman in tech? (22 Mar 2018)


Meredith says it intends to sell Time, Sports Illustrated, Fortune and Money (22 Mar 2018)


Ship traffic, March 23 (22 Mar 2018)


YouTube bans firearm sales and how-to videos, prompting backlash (22 Mar 2018)


Uber’s new rival in Australia: an Indian upstart (22 Mar 2018)


Video shows Uber robot car in fatal accident did not try to avoid woman (22 Mar 2018)

more »


Site feed Updated: 2018-Mar-22 18:00