-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, Oct 06, 2006 at 04:35:22PM +0200, Clinton Gormley wrote:
> I'm testing my current site for XSS vulnerabilities, and I came across
> this one on:
>
> http://ha.ckers.org/xss.html
[...]
> Now this is an interesting one... How would you avoid this? Only take
> parameters from the POST data? Any other ideas?
Users:
* switch off Javascript (and any other active content)
* avoid pages unusable without active content
Developers:
* always offer working alternatives to active content (page
must be usable with no JS, no Java, no Flash (I won't talk
about other client-side monsters here).
* convince your bosses/clients that (X)HTML/CSS is enough to
make beautiful and usable pages.
OK, now call me names :-)
For the case shown -- the best seems to disallow any links to other
sites (and provide some kind of "cleaning proxy" if users want to
publish images from elsewhere. Looks like fun).
Regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFFJm67Bcgs9XrR2kYRAnc9AJ996Jbg1+4r01LDBMylbRg21NvvbgCeIYfp
nNC0GM7xNlsmy/qPAC8mPmI=
=WSVV
-----END PGP SIGNATURE-----
