-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Oct 06, 2006 at 04:35:22PM +0200, Clinton Gormley wrote: > I'm testing my current site for XSS vulnerabilities, and I came across > this one on: > > http://ha.ckers.org/xss.html [...] > Now this is an interesting one... How would you avoid this? Only take > parameters from the POST data? Any other ideas?
Users: * switch off Javascript (and any other active content) * avoid pages unusable without active content Developers: * always offer working alternatives to active content (page must be usable with no JS, no Java, no Flash (I won't talk about other client-side monsters here). * convince your bosses/clients that (X)HTML/CSS is enough to make beautiful and usable pages. OK, now call me names :-) For the case shown -- the best seems to disallow any links to other sites (and provide some kind of "cleaning proxy" if users want to publish images from elsewhere. Looks like fun). Regards - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFJm67Bcgs9XrR2kYRAnc9AJ996Jbg1+4r01LDBMylbRg21NvvbgCeIYfp nNC0GM7xNlsmy/qPAC8mPmI= =WSVV -----END PGP SIGNATURE-----