LWN.net Logo

Advertisement

ThinLinc Terminal Server

Advanced thin client solution for Linux, based on Open Source. Mix Windows and Linux applications on the same desktop.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Cross-site scripting attacks

Cross-site scripting attacks

Posted Apr 13, 2006 6:52 UTC (Thu) by jwb (subscriber, #15467)
In reply to: Cross-site scripting attacks by Dom2
Parent article: Cross-site scripting attacks

Having read your blog entry, it seems like you would agree that something like
document.createTextNode() does the right thing by default, no? If you stick to the DOM, there's no
way to inadvertently do something stupid. Everything, stupid or otherwise, is done explicitly.

Regarding your example of SQL placeholders, even that wisdom has not trickled down to the great
programming masses. The vast majority of PHP code out there in wild builds up SQL queries using
string concatenation and explicit escaping. Usually this means no or insufficient escaping. PHP
only recently acquired a decent interface for interacting with SQL databases, and the use of it is not
yet widespread.

(Log in to post comments)

Cross-site scripting attacks

Posted Apr 13, 2006 9:23 UTC (Thu) by Dom2 (guest, #458) [Link]

Yes, document.createTextNode() does do the right thing. But I was thinking more in terms of server side solutions like PHP, ASP and JSP. They default to "insecure".

-Dom

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds