-
Hello world. Have you triple-checked your web app code for XSS holes today? I bet if you look hard enough, you'll find one. It's kind of depressing.
-
At one point, I thought that it was enough in web development to just be dilligent in escaping output based on user data in HTML templates - or by using a template package that escaped by default. I was wrong: dilligence fails. There are just too many spots where output happens, and you're going to miss one. It's the river versus the delta. The place to do it is at the source of the data river: Detoxify the user's input before doing anything with it. POST and GET vars? Munge 'em, strip 'em, encode 'em, show no mercy. Declaw, defang, detoxify - before it's too late. Don't just distrust user input, accept that you are under attack. Assume that, at some point on some day, anything pulled in from the request environment will eventually end up echo'd out to the response in all its naked glory. Nail it as early on in the process as possible. It doesn't matter much if you've saved yourself from SQL injection attacks up front, if later down the line that carefully backslashed and stored data turns around and bites you with a raw JS script tag when it's later retrieved from storage.