On Thu, 27 Apr 2000, Vivek Khera wrote:
> Why on earth would you take user input and output it verbatim to your
> pages? Rule number 1 of developing a web site is to never trust the
> user's input values. *Always* validate it against what you're
> expecting.
I guess someone had better tell the folks at Vignette that. Well, and
the folks at all the major search engines. And the portals. And anyone
using a search box that redisplays the query on every results page...
Before I wrote the article, I checked out about fifty major portals
and search engines, and only about a third did any filtering on the
input; some did filtering, but poorly; and a good third of them just
redisplayed the query verbatim. Try searching for
<script>alert("aha");</script>
at your favorite search engine. The problem is, well, pretty widespread.
Steve
--
tired of being an underappreciated functionary in a soulless machine?
hesketh.com is hiring: <http://hesketh.com/careers/>
