« AMP, geo-restrictions | Main | Flash Lite talks with J2ME »

April 21, 2008

Noteworthy injection

Noteworthy injection: User-generated content is great, but you can't trust it, and must vet it before republishing it. This weekend the Barack Obama website accepted a comment from a visitor but did not strip out angle-brackets and quotemarks. The result was a page whose new user-generated JavaScript content redirected to the Hillary Clinton website. See Wikipedia for an intro to the need of protecting your formfields from injected commands by visitors, and XSSed for additional details on the political redirect. Me, I'm hoping the next debate has a question about how each candidate feels about cross-site scripting exploits, and whether libraries like Scriptaculous should always insist upon formfield validation.... ;-)

Posted by JohnDowdell at April 21, 2008 1:41 PM