On Aug 13, 2012, at 2:55 PM, Perforin wrote: > On 08/13/2012 11:57 AM, Shlomi Fish wrote: >> Hello Perforin, >> >> On Mon, 13 Aug 2012 08:18:13 +0200 >> Perforin <w32.perfo...@gmail.com> wrote: >> >>> On 08/13/2012 12:45 AM, Owen wrote: >>>> On Fri, 10 Aug 2012 13:41:51 -0500 >>>> Bill Stephenson <bi...@ezinvoice.com> wrote: >>>> >>>>> So, I've been working on an example web based app that demonstrates >>>>> pretty much how I've been doing things lately, it's a simple note >>>>> pad app for beginners to play with. I put the app and code on my >>>>> Linux web server here: >>>>> >>>>> http://www.raspberryperl.com >>>> Love it. >>>> >>>> >>>> >>> Just fixx the XSS bugs pl0x ;) >>> >> Can you point to one or more XSS bugs that you have encountered? XSS is >> http://en.wikipedia.org/wiki/Cross-site_scripting for those who are not >> familiar with it. >> >> Regards, >> >> Shlomi Fish >> > > > I tested the XSS in the subject field only. There's no filtering.
Yes indeed, and thank your for the suggestion. After being gone for a few days I saw when I got back that someone entered something like this into the subject field of a note to redirect users to a porn site: <script>window.location = "http://www.I-am-a-loser.org/";</script> So, since the demo is public accessible, I added some code to prevent that from working. But really, that specific code should not be necessary for the lesson on building this app. This app is not meant to be publicly accessible, it's a "Note Pad" app, meant to be used personally, by a single user, on their own Raspberry Pi. So unless a user has a dual personality disorder they are not likely to need to filter their own notes. I do intend to show how to require a login, which would also help prevent that kind of attack, but I want to take users through that process in another step, and there are other features that can also be explained with a step by step process, including how to help prevent XSS attacks, which is an important lesson to learn. I think it will be easier for beginners to apply what they learn to other projects using this approach. One thing worth noting about how this app is made is that it uses the epoch time to name the note files. This has a few advantages, one being the ability to quickly and easily search a folder full of files by a date range, another is to cross reference the time stamp with the web server's access logs to find the IP address of who made a particular note. This could come in handy to help law enforcement track down and prosecute a specific user who might want to do something stupid, like an XSS attack, the penalties for which, from what I understand, include fines and prison time in most countries for even small infractions. Thanks again, Bill Stephenson -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/
