After Skype session yesterday I was discussing some security aspects with Andreu.
Andreu helps me to understand some risks better. I am focused on the firewall but it seems also in programming we must be careful.
but we have to give a security concept to mod harbour starters
Andreu, 19:43
to be fair, I think for starting on the web it's far better to focus on things like XSS
what is XSS
cross-site scripting
it's a web security attack that goes like this:
on your website, you have an input for the user that will be visible to everyone – for example, a comment form on a blog post
and the server-side code used to store and display that comment doesn't escape the input
some malicious user could add input with scripts in the HTML, which could publish private data like cookies
you'd have to escape the input on the server so that it can't be rendered as a script when it's displayed
it's not an attack against the server, but against fellow users of the service
nowadays the web platform offers you tools so that you can block scripts without actually having to escape the input on the server-side
but while some of those are good, if you ask me the complete package is more trouble than just escaping every input
cross-site scripting
cross-site scripting
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
********************************************************************
Re: cross-site scripting
In order to write an < sign in HTML that doesn't start a tag, you write it <
Same with > and >
If you're writing code to render an attribute in a tag, you can escape a quote with ' (single quote) or " (double quote)
Just that should be enough
Replace those in any input you're printing
Same with > and >
If you're writing code to render an attribute in a tag, you can escape a quote with ' (single quote) or " (double quote)
Just that should be enough
Replace those in any input you're printing
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
********************************************************************