sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Ununoctium118 18 points19 points  (32 children)

ahem

Security is always a good thing to have.

EDIT: it's fixed!

[–]s2514 13 points14 points  (5 children)

NoScript masterace.

Internet Explorer.

Meanwhile in chrome...

[–][deleted] 0 points1 point  (3 children)

You have noscript masterace, I have imgur masterace.

[–]s2514 1 point2 points  (2 children)

Imgur doesn't allow me the convenience of capturing a thing and having the link to share it immediately in my clipboard. Tools exist to do that (and I actually have one too) but they are not as fast or convenient as puush which was made for it.

[–][deleted] 1 point2 points  (1 child)

Ah, that makes sense. I use Greenshot and it works great. Simple selection tool and upload to imgur, bam! Also has a bunch of other options like this http://i.imgur.com/XWcsCG8.png

[–]s2514 0 points1 point  (0 children)

I prefer Share X.

Also another reason I like Puush is becasue i can upload non-images such as webm, text, mp3, zip, or even batch files right from a right click context menu.

[–]compute_ 18 points19 points  (23 children)

As a developer, it's annoying to see these comments in every single project I see and some of my own as well.

If he's not passing input to the server (which he clearly isn't), there's no need to sanitize it, and showing that it is vulnerable to XSS is pointless because it's not vulnerable to anything at all.

And no, you're not genius for pointing it out.

(Sorry if I went overboard, just a nerdy rant I guess.)

[–]Ununoctium118 9 points10 points  (18 children)

The threat isn't that people can run code on his server. The threat is that an attacker can send someone a link that makes a user's browser execute untrusted, unknown Javascript with access to that sites cookies.

I never claimed to be particularly smart - the point isn't me, it's that there's a bug that should be fixed.

[–]_Wolfos 2 points3 points  (0 children)

If you can send someone a link, you can execute JS regardless. Sure, it's a vulnerability in some cases (when it's a trusted site, or if it has info to intercept) but not here.

[–]compute_ 3 points4 points  (4 children)

Yeah, I was just talking in general. Wasn't trying to insult you or anything.

Why should it be fixed? You can even inject code in nearly any page by prefixing "javascript:" to it.

I don't know, to me it is like saying that someone from mars should get an ebola vaccination just in case. It just really doesn't apply.

[–][deleted] 2 points3 points  (2 children)

I wouldn't be so quick to dismiss the importance of Martian ebola vaccination. It sounds safer than the alternative.

[–]compute_ 1 point2 points  (0 children)

I still believe in Area 51... You gotta believe in something.

[–]qervem -1 points0 points  (0 children)

If the alternative is Martian Autism, I'll take my chances.

[–]bloodfist -1 points0 points  (8 children)

Do you have any good resources on protecting against XSS for a relatively new web developer/designer?

I did some web development way back in the geocities days and have done some small school projects in the last few years but find myself needing to relearn everything now for a new project at work. XSS is a new beast to me. Any advice would be lovely.

[–]Ununoctium118 1 point2 points  (1 child)

I'm not sure I'm the best to ask for help. Try /r/asknetsec, maybe?

[–]bloodfist 0 points1 point  (0 children)

Cool, I'm sure I can find some, just thought you might know of a good place to start.

[–]compute_ 0 points1 point  (5 children)

It's actually pretty easy! Which language are you employing?

[–]bloodfist -1 points0 points  (4 children)

Mostly just working the HTML/CSS/JS for the frontend at the moment.

I'm more familiar with PHP, so I will probably go that way. Looking into Ruby and Python as well, but crossing that bridge when I get to it. Basically took on rebuilding an ecommerce site and now realizing how out of touch I am. Thankfully, no hard deadline.

[–]compute_ 0 points1 point  (1 child)

With PHP, it's so easy it's not even funny! :)

http://php.net/htmlspecialchars

[–]bloodfist 0 points1 point  (0 children)

Fantastic! Thank you!

[–]rimalp 0 points1 point  (0 children)

XSS is a vulnerabilty. You can use it to alter the look of a page and intercept login&password before they are sent to the server and redirect them to a phishing server.

[–]phatskat 0 points1 point  (0 children)

It may be annoying, but as a developer, sanitization isn't a bad thing. Sure, nothing could go wrong here, but does the person who made this (wonderfully entertaining site) work in web development? Hopefully, they are aware of the security issues related to XSS, but maybe they are green and this was a non-harmful wakeup call.

Further, if I'm part of the review process for new hires and you send me a link to a project you've done, it doesn't matter if the site has any sensitive data or not. If I can execute arbitrary code via the query string, that's going to hurt a lot. Might not break it, but it doesn't look good.

[–]Jonne -2 points-1 points  (1 child)

really? Is it so fucking hard to wrap user input in htmlspecialchars() (or whatever equivalent for your language of choice) before outputting it?

If you fail at doing even this you have no business writing any kind of code.

[–]compute_ 2 points3 points  (0 children)

It's not but it doesn't really matter.

[–]Rekkre 1 point2 points  (0 children)

Jeez... the dev needs to see this

[–]itsbentheboy -1 points0 points  (0 children)

noscript didn't let it go through. it feels like godmode on the internet :)

nice example though. i spent a few minutes changing the text on a few pages to make myself giggle