I’ve just been listening to Security Now about Cross-Site Scripting. It makes my blood boil. No, not all the ads and endless, aimless waffling. The talk about Cross-Site Scripting (aka XSS) being a problem because code and data can be intermingled in the page.
No, it’s not.
XSS is a problem because we have dumb programmers using even dumber tools1.
I’ve railed before about the fact that if you’re outputting HTML, then your tool should do HTML escaping for you by default.
It’s kind of understandable in systems like Template Toolkit, which are not specifically aimed at the web, but it’s completely inexcusable in PHP. It’s designed to create web pages. You’d think it’d be able to do it safely and easily. No chance.
But lest you think I rant at PHP, most other systems I’ve seen (in Java, Perl and Ruby) make it nearly as hard to do correctly. Let me rephrase:
If you have to think about where to apply escaping, then your tool is letting you down.
This isn’t to say XSS is the only problem. There are plenty of other problems to be aware of. CSRF appears to be garnering lots of attention these days.
One really useful link did come out of the Security Now show: OWASP (Open Web Application Security Project). It’s really worth checking out the OWASP Guide in order to educate yourself about security on the web.
1 Before you start to feel offended about being called a “dumb programmer”, I most certainly include myself in this category too.