mitch's meanderings

ALA serves up a great article addressing the dangers of cross-site scripting (XSS) vulnerabilities. Author Niklas Bivald says,

Validating and sanitizing user input is no longer optional. Consider what your users really need to do, think about what characters they need to accomplish those tasks, and strip/convert as necessary to protect your community.

Part 1 provides examples of XSS attacks, and a checklist for validating input. An upcoming Part 2 promises to deliver techniques for closing these vulnerabilities and preventing attacks on your sites and communities.

The excitement generated by the popularity of Ajax technologies and all the flashy new Web 2.0 applications, along with a wealth of published tutorials and “howtos”, must entice many to dive head first into web development. My guess is, many do this with little or no thought to the implications these technologies might have on security. I am happy to see XSS addressed, even if in such a simple manner, and hope to see more of these types of tutorials.