Community Creators, Secure Your Code!

by Niklas Bivald

33 Reader Comments

Back to the Article
  1. All that customization of web application reminds me of an article on network security. 

    Pick your poison, do you want to restrict the user to a know and limited set of features or chase all the hacks that people will find? 

    With the first approach you define and design it once; the other approach is a never ending race to ensure your application is safe from the known tricks and hacks.

    Ok, it takes more time to develop the white list; most certainly feels more restrictive from a user standpoint but I guess it depends if you prefer to appear on the front page because you’re application is great or because somebody took control of other people’s account. 

    Maybe I’m paranoid, but I’d rather spend time expending my applications then fixing my damaged reputation.


    Copy & paste the code below to embed this comment.

    Apparently they need to heed the message. ;)  At the time of writing, this hole has not been patched.

    Copy & paste the code below to embed this comment.
  3. The ad hoc “tricks”? the article prescribes can fall victim to clever attackers. For instance, if you were to use str_replace(”˜javascript’, ‘’, $html) your script would still be vulnerable to javasjavascriptcript (this is documented in the XSS cheatsheet posted above, excellent reading for anybody interested in HTML validation).

    Copy & paste the code below to embed this comment.