On Thu, 27 Apr 2000, Vivek Khera wrote:
> >>>>> "SC" == Steven Champeon <[EMAIL PROTECTED]> writes:
>
> SC> developers and designers) for Webmonkey:
>
> SC> http://hotwired.lycos.com/webmonkey/00/18/index3a.html
>
> SC> If you want to see what sort of stuff the XSS problem opens you up for,
> SC> just try appending ?tw=<script>alert("aha!");</script> to the URL above.
>
> Why on earth would you take user input and output it verbatim to your
> pages? Rule number 1 of developing a web site is to never trust the
> user's input values. *Always* validate it against what you're
> expecting.
Remember, this isn't just cases where user A writes something that user B
sees. This includes cases where user A creates something that only user A
sees. Traditionally, it was often assumed that "hey, who cares? It is
only the user that will see it, no one else will".
It is really a very hard problem to ensure it is 100% correct everywhere,
and there are a lot of gotchas involved in trying to do it properly in
anything but the simplest situation.
Every major web site has places where they don't do this properly.