Community Creators, Secure Your Code!

by Niklas Bivald

33 Reader Comments

Back to the Article
  1. MySpace didn’t get popular because it was well-written ;-) It got popular because it gaves users control.

    However, I think that you do have a point in not letting users customize space through “real code.” Isn’t that what most forums and blogs do right now by not allowing HTML when they can avoid it? BBCode and Textile are much easier to secure than raw web input.

    Copy & paste the code below to embed this comment.
  2. Well of course you don’t have to let them use real code. You could let them pick between the options you give them. But you could also just not accept their content, or their photos, or their comments..

    Like the previous poster said, MySpace sold for many millions of dollars, and it was only because “making profiles pretty” really appeals to teenaged girls and the boys who lust for them. People like to do their own thing.

    Copy & paste the code below to embed this comment.
  3. “But you could also just not accept their content, or their photos, or their comments..”

    I think that’s a totally different ball game – not accepting customisation through real code has nothign to do with censorship.

    I entirely agree that making “pretty profiles” is the attraction of MySpace and its ilk, but as it’s been mentioned, there are much more secure ways of going about it – allowing real-code submission is just asking for too much trouble.

    Copy & paste the code below to embed this comment.
  4. this is important stuff, blogging communities allow other users to view their code, but for web 2.0 and secure programs its important to know that the code can be hacker-proof.

    Copy & paste the code below to embed this comment.
  5. As well as allowing javascript URLs in CSS, IE also has a “feature” that lets properties be set using expressions, written in (of course) JavaScript. So you can use:

    <body [removed]alert(‘hi’));”>…</body>

    Just something else to watch out for…

    Copy & paste the code below to embed this comment.
  6. I think MySpace giving their users freedom to edit their templates CSS was a huge mistake. Sure, the default theme is ugly but the things that the majority of people do to their MySpaces is much worse. They just destroy them beyond any level of readability or sanity.

    MySpace would be nicer place without theme editing. Pure Volume is proof of this.

    Copy & paste the code below to embed this comment.
  7. Your article makes a good case for the security codes necessary to hold back abuse of the system. The system still needs to be refined so that legitimate users are not kept out in the same stroke we use to stop abusers. Thanks for raising the topic so well…

    Copy & paste the code below to embed this comment.
  8. I know the article is about XSS, but the example used points to another problem with a lot of these types of sites, not using a validation scheme for the ‘voting’ script, or scripts that control other types of changes.

    A simple check for a valid random unique id in voteOnAuser.php would kill any chance of a XSS vulnerability such as this from having any effect because the ‘vote’ would automaticaly be rejected.

    And a big applause to #28, if you’re going to allow customization then by all means have complete control over the code yourself.

    Copy & paste the code below to embed this comment.
  9. I sure there are two clear strategies to prevent XSS attacks:
    1. Format using tidy and then remove anything unexpected – leave only basic set of tags.

    2. Separate administrating and displaying markup content on different sites (like blogger.com does).

    Correct me if I wrong.

    Copy & paste the code below to embed this comment.
  10. Instead of
    one should use
    ;) Makes things valid as well :D

    Copy & paste the code below to embed this comment.
  11. All that customization of web application reminds me of an article on network security. 

    Pick your poison, do you want to restrict the user to a know and limited set of features or chase all the hacks that people will find? 

    With the first approach you define and design it once; the other approach is a never ending race to ensure your application is safe from the known tricks and hacks.

    Ok, it takes more time to develop the white list; most certainly feels more restrictive from a user standpoint but I guess it depends if you prefer to appear on the front page because you’re application is great or because somebody took control of other people’s account. 

    Maybe I’m paranoid, but I’d rather spend time expending my applications then fixing my damaged reputation.

    Cheers!

    Copy & paste the code below to embed this comment.
  12. http://kevin.mesiab.com/wordpress/index.php/cragslist-vulnerability/

    Apparently they need to heed the message. ;)  At the time of writing, this hole has not been patched.

    Copy & paste the code below to embed this comment.
  13. The ad hoc “tricks”? the article prescribes can fall victim to clever attackers. For instance, if you were to use str_replace(”˜javascript’, ‘’, $html) your script would still be
    www.replicahours.com vulnerable to javasjavascriptcript (this is documented in the XSS cheatsheet posted above, excellent reading for anybody interested in HTML validation).

    Copy & paste the code below to embed this comment.