-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Oct 06, 2006 at 04:35:22PM +0200, Clinton Gormley wrote:
> I'm testing my current site for XSS vulnerabilities, and I came across
> this one on:
> 
> http://ha.ckers.org/xss.html
[...]
> Now this is an interesting one...  How would you avoid this? Only take
> parameters from the POST data?  Any other ideas?

Users:
  * switch off Javascript (and any other active content)
  * avoid pages unusable without active content

Developers:
  * always offer working alternatives to active content (page
    must be usable with no JS, no Java, no Flash (I won't talk
    about other client-side monsters here).
  * convince your bosses/clients that (X)HTML/CSS is enough to
    make beautiful and usable pages.

OK, now call me names :-)

For the case shown -- the best seems to disallow any links to other
sites (and provide some kind of "cleaning proxy" if users want to
publish images from elsewhere. Looks like fun).

Regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFJm67Bcgs9XrR2kYRAnc9AJ996Jbg1+4r01LDBMylbRg21NvvbgCeIYfp
nNC0GM7xNlsmy/qPAC8mPmI=
=WSVV
-----END PGP SIGNATURE-----

Reply via email to