Posted by Edward Vermillion on 07/08/05 20:31

On Jul 8, 2005, at 12:02 PM, Ezra Nugroho wrote:

>
> I am just wondering, how could someone craft an html to steal cookies?
> If your cookie distribution is done right, I don't think you need to
> worry about this.
>

That's what XSS is all about. I don't have the link handy but I do have
a PDF file that I found
a while back that explains how this happens, and to tell the truth, it
scared the s*** outa me.
To the point that I really don't trust any online commerce, although I
do still use it, just as
I still give the waitress/waiter my credit card at a restaurant, even
though I know that's where
most of the identity theft/stolen CC numbers comes from.

> There are a gazillion of sites (CMS-based, wiki-based, etc, including
> php.net) that allow users to contribute html. They are not concern
> about
> security of data delivery.

Yeah I know... :P

>
> I think, page breaking html is more prominent issue, which you could
> eliminate with BBcode or wiki language.
>
> Perhaps you are being a little paranoid?
> Or do I miss something?
>

So yeah, I'm being paranoid but I'm also trying to cover as many bases
as I can and yet
still provide some decent functionality.


Edward Vermillion
evermillion@doggydoo.net

[Back to original message]