Community Creators, Secure Your Code

Niklas Bivald writes for A List Apart regarding cross-site scripting attacks. I had no idea that Internet Explorer executes JavaScript contained within style attributes:

<style="background:url(javascript:alert(document.cookie))">

and that filtering for “javascript” isn’t enough, because IE will also accept things like:

<style="background:url(ja
    vas
    cript:alert(document.cookie))">

which is just sickening. Off the top of my head, I’m thinking you could filter for the regex “j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t”, but who would expect that that’s necessary?

β˜… Thursday, 20 April 2006

Ads via The Deck Ads via The Deck