Posted by FFMG on 08/16/06 06:22

arccos wrote:
> Dylan Sung wrote:

>
> To answer the security question, your site may be vulnerable to
> cross-site scripting, which is more serious than a bit of spam. When
> someone enters a comment with the < and > characters, do the characters
> < and > show up on the page, or do the characters < and > show up in
> the source code. If it's the 2nd, you are vulnerable.
>
> Anyone entering a comment can use the HTML tags < and >, which means
> they can use cross-site scripting attacks. That in turn means they can
> run their code from your webpage. See here:
> http://en.wikipedia.org/wiki/Cross-site_scripting
>
> You would have the most serious vulnerability, what they list here as
> type-2. The easiest way to fix this is to modify your code to either
> strip out < and >, or to HTML encode it (change < to &lt; and > to
> &gt;) in all comments as they are submitted.
>
> Without a URL, I can't say for sure if you do have the vulnerability.
> Good luck!

Thanks for that.
As I said I removed the offending comments so I cannot really give a
link.

In a sick way I have allowed '<' and '>' because I want to
learn some of the more colorful ways of XSS injection.

And I must say, there are some pretty clever hacks out in the wild. The
more I block they better they get.

If I was a bigger site I would have to stop all the '<' and '>'
but that way I learn a bit more about hacks and so on.

Thanks all.

• Next in forum: Re: Site owners check your site for robots.txt file!
• Prev in forum: Re: Need a good canadian site to buy domains...?
• Thread view: Re: Html injection/hacking, but what does it do? Any advice?

[Reply to this message]