Don’t fool yourself when cleaning input, Javascript is sneaky as hell.
Posted by: atom, 2008 05.04
User input must never be trusted. It is impossible to emphasize this enough. Please excuse me if I get emotional, it is a sensitive subject for me.
All web developers worth anything know this, but very often even the most experienced developer makes assumptions or simple mistakes that leave a dirty little hole which is ripe for pillaging.
I recently found a hole in an application which was caused by lazy / inadequate / ill-conceived input cleansing. The developers have been notified and will surely correct the problem shortly. I will release more detail regarding this when the issue has been resolved and a fix is in place. Of course, if you are a trusted dot-comrade I can fill you in before hand as requested. For everyone else, check out:
- The Anti-Samy Project
- The ha.ckers.org XSS (Cross Site Scripting) Cheat Sheet - Esp: for filter evasion
- Join the paranoid with NoScript
Leave a Reply
ok to use:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
bonus!
If you want to post code, you can use:
<pre lang="[language]">[code]</pre>
Where [language] is a valid geshi language type, and where [code] is your code.