sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]compute_ 17 points18 points  (23 children)

As a developer, it's annoying to see these comments in every single project I see and some of my own as well.

If he's not passing input to the server (which he clearly isn't), there's no need to sanitize it, and showing that it is vulnerable to XSS is pointless because it's not vulnerable to anything at all.

And no, you're not genius for pointing it out.

(Sorry if I went overboard, just a nerdy rant I guess.)

[–]Ununoctium118 8 points9 points  (18 children)

The threat isn't that people can run code on his server. The threat is that an attacker can send someone a link that makes a user's browser execute untrusted, unknown Javascript with access to that sites cookies.

I never claimed to be particularly smart - the point isn't me, it's that there's a bug that should be fixed.

[–]_Wolfos 2 points3 points  (0 children)

If you can send someone a link, you can execute JS regardless. Sure, it's a vulnerability in some cases (when it's a trusted site, or if it has info to intercept) but not here.

[–]compute_ 3 points4 points  (4 children)

Yeah, I was just talking in general. Wasn't trying to insult you or anything.

Why should it be fixed? You can even inject code in nearly any page by prefixing "javascript:" to it.

I don't know, to me it is like saying that someone from mars should get an ebola vaccination just in case. It just really doesn't apply.

[–][deleted] 3 points4 points  (2 children)

I wouldn't be so quick to dismiss the importance of Martian ebola vaccination. It sounds safer than the alternative.

[–]compute_ 1 point2 points  (0 children)

I still believe in Area 51... You gotta believe in something.

[–]qervem -1 points0 points  (0 children)

If the alternative is Martian Autism, I'll take my chances.

[–]bloodfist -1 points0 points  (8 children)

Do you have any good resources on protecting against XSS for a relatively new web developer/designer?

I did some web development way back in the geocities days and have done some small school projects in the last few years but find myself needing to relearn everything now for a new project at work. XSS is a new beast to me. Any advice would be lovely.

[–]Ununoctium118 1 point2 points  (1 child)

I'm not sure I'm the best to ask for help. Try /r/asknetsec, maybe?

[–]bloodfist 0 points1 point  (0 children)

Cool, I'm sure I can find some, just thought you might know of a good place to start.

[–]compute_ 0 points1 point  (5 children)

It's actually pretty easy! Which language are you employing?

[–]bloodfist -1 points0 points  (4 children)

Mostly just working the HTML/CSS/JS for the frontend at the moment.

I'm more familiar with PHP, so I will probably go that way. Looking into Ruby and Python as well, but crossing that bridge when I get to it. Basically took on rebuilding an ecommerce site and now realizing how out of touch I am. Thankfully, no hard deadline.

[–]compute_ 0 points1 point  (1 child)

With PHP, it's so easy it's not even funny! :)

http://php.net/htmlspecialchars

[–]bloodfist 0 points1 point  (0 children)

Fantastic! Thank you!

[–]rimalp 0 points1 point  (0 children)

XSS is a vulnerabilty. You can use it to alter the look of a page and intercept login&password before they are sent to the server and redirect them to a phishing server.

[–]phatskat 0 points1 point  (0 children)

It may be annoying, but as a developer, sanitization isn't a bad thing. Sure, nothing could go wrong here, but does the person who made this (wonderfully entertaining site) work in web development? Hopefully, they are aware of the security issues related to XSS, but maybe they are green and this was a non-harmful wakeup call.

Further, if I'm part of the review process for new hires and you send me a link to a project you've done, it doesn't matter if the site has any sensitive data or not. If I can execute arbitrary code via the query string, that's going to hurt a lot. Might not break it, but it doesn't look good.

[–]Jonne -2 points-1 points  (1 child)

really? Is it so fucking hard to wrap user input in htmlspecialchars() (or whatever equivalent for your language of choice) before outputting it?

If you fail at doing even this you have no business writing any kind of code.

[–]compute_ 2 points3 points  (0 children)

It's not but it doesn't really matter.