tungwaiyip.info

home

about me

links

Blog

< July 2004 >
SuMoTuWeThFrSa
     1 2 3
4 5 6 7 8 910
11121314151617
18192021222324
25262728293031

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

Checking for Cross-Site Scripting Vulnerability

Netcraft.com brings my attention to cross-site scripting security problem. I have examined this website for vulnerabilities. This problem is usually caused by systems not checking input received from user or third party before using it. One place this website receives input is the RSS new feeds. I have crafted a test RSS with embedded javascript. Some RSS feeder (including this website) display the content as is. They should have (arguably) strip off the embedded script before displaying it. I promptly plugged this by escaping the meta characters before outputting them on the web pages.

An important element for cross-site scripting is that a third party can use a reputable website as a conduit to inject questionable code in their context. In this case the news feeder's communication is only between this website and the news source. I am not aware of any loop hole for third party to get involved. But in the world of open communication it is better to be safe to test for all input before use.

2004.07.20 [, ] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Trump rejects proposal for Russia to interrogate US citizens (19 Jul 2018)

 

New Brexit Secretary Dominic Raab vows to 'intensify' talks (19 Jul 2018)

 

Burberry burns bags, clothes and perfume worth millions (19 Jul 2018)

 

Zuckerberg in Holocaust denial row (19 Jul 2018)

 

Egypt sarcophagus: Mystery black tomb opened in Alexandria (19 Jul 2018)

 

Would you choose to sleep with the fishes? (19 Jul 2018)

 

Macron aide Benalla in French probe for beating protester (19 Jul 2018)

 

Trevor Noah defends 'Africa won the World Cup' joke (19 Jul 2018)

 

US faces retaliation if car tariffs go ahead (19 Jul 2018)

 

India Netflix actor Rajshri Deshpande 'disgusted by porn star label' (19 Jul 2018)

more »

 

SF Gate

 

Facebook to remove misinformation that leads to violence (19 Jul 2018)

 

Ship traffic, July 20 (19 Jul 2018)

 

EBay lays off nearly 300 Bay Area employees (19 Jul 2018)

 

Ship traffic, July 18 (18 Jul 2018)

 

Business News Roundup, July 19 (18 Jul 2018)

 

Settlement rejected in McDonald’s franchisee case (18 Jul 2018)

more »


Site feed Updated: 2018-Jul-19 15:00