Hi Ted, > Similarly, implementations of Javascript and AJAX have leaked files to the OS, allowed some nasty cross-site scripting issues
I can't let that go by uncommented... <s> JavaScript is not the reason for cross-site scripting problems. In fact, as we see an increase in JavaScript based applications, we will likely see a reduction of cross-site scripting problems (compared to the total of available applications). If you look for XSS attacks on security mailing lists the number one tool involved in XSS is PHP. PHP makes it very easy to write insecure or buggy web applications, but hard to write secure ones. Writing a web page using a JavaScript frameworks requires significant more programming knowledge and also handles many of the issues that lead to cross site scripting as well as other typical bugs. Server-side software requires a different mindset than client-side software. It takes some time for a developer to achieve that mindset. JavaScript applications, OTOH, are client based. They are written similar to desktop applications in which you use the web server only as a repository to retrieve data. Yahoo is a good example of what I mean. On the Yahoo Mail help page you can find the following link: <a href="http://us.rd.yahoo.com/reg/login1/lisu/signup_lib/us/ym/*http://edit.y ahoo.com/config/eval_register?.intl=us&new=1&.done=http%3A//mail.... That's a clear sign that the developers didn't know what they did. Inside an HTML document, & has to be encoded as an HTML entity. The correct syntax is: ...l=us&new=... -- Christof _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
