Cross Site Scripting, again

Twitter all clear after worm wave

Twitter has been given the all clear after a worm infected “tens of thousands of users”. But experts say the attack could have been much worse.

Another day, another XSS hole. It reminds me of something (probably apocryphal) that I heard about lung cancer research. There’s no real need for it. We know what causes lung cancer — smoking.

True or not, we know what causes XSS holes. It’s poor tools. Now given a choice between:



Guess which one is going to be picked, every single time. And guess which one doesn’t escape HTML properly. Lest you think I’m picking on JSPs, most templating systems have the same flaw.

This is why I was immensely pleased to see Reducing XSS by way of Automatic Context-Aware Escaping in Template Systems from Google. Unfortunately, their solution isn’t universally available yet, but it really serves the purpose of showing how this can be done correctly.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s