Community Creators, Secure Your Code

Niklas Bivald writes for A List Apart regarding cross-site scripting attacks. I had no idea that Internet Explorer executes JavaScript contained within style attributes:


and that filtering for “javascript” isn’t enough, because IE will also accept things like:


which is just sickening. Off the top of my head, I’m thinking you could filter for the regex “j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t”, but who would expect that that’s necessary?

Thursday, 20 April 2006