Cross Site Scripting, again

Twitter all clear after worm wave

Twitter has been given the all clear after a worm infected “tens of thousands of users”. But experts say the attack could have been much worse.

Another day, another XSS hole. It reminds me of something (probably apocryphal) that I heard about lung cancer research. There’s no real need for it. We know what causes lung cancer — smoking.

True or not, we know what causes XSS holes. It’s poor tools. Now given a choice between:

<p><c:out value="${userName}"/></p>

And

<p>${userName}</p>

Guess which one is going to be picked, every single time. And guess which one doesn’t escape HTML properly. Lest you think I’m picking on JSPs, most templating systems have the same flaw.

This is why I was immensely pleased to see Reducing XSS by way of Automatic Context-Aware Escaping in Template Systems from Google. Unfortunately, their solution isn’t universally available yet, but it really serves the purpose of showing how this can be done correctly.

Comments are Closed