21 All well and good, but...

Am I being totally short-sighted here, or can all these security holes be resolved in one simple stroke: don’t let your users personalise their space through real code!

My other half asked me a few days ago to help her style her MySpace stuff (and as it’s the first time I’ve really bothered going there I almost threw up when I saw how s**t it is code-wise) and then gave up after tearing my hair out for ages.

For a start it clearly says “please don’t use CSS to remove any MySpace ads” so immediately I set about doing just that – and succeeded. I then decided to play a little prank on her by adding “table {display:none}” to her style sheet and promptly destroyed the entire site in preview mode.

IMO these sorts of places – MySpace in particular – are so shoddily written it’ll take a CSS expert to write code to successfully style the soup of nested tables, divs and junk to get anything worthwhile looking at – and I doubt the majority of the user base will be these CSS experts (I know I’m not) – and certainly from my own experience anybody half web-dev savvy have their own blogs with crisp, clean blogging systems or just written their bloody own!

I’m all for personalisation and marking your cyber-territory, but surely it’s quicker and easier for the users and safer for the admins to allow personalisation through forms and options. Let the user click the settings they want and the system generates the styles.

Obviously you’ll still need to filter text input areas to avoid IE’s incompetence, but you’re already running a lot tighter ship.

Or, I say again, am I being short-sighted?

posted at 05:03 pm on April 20, 2006 by Ross Clutterbuck

22 Re: All well and good, but...

MySpace didn’t get popular because it was well-written ;-) It got popular because it gaves users control.

However, I think that you do have a point in not letting users customize space through “real code.” Isn’t that what most forums and blogs do right now by not allowing HTML when they can avoid it? BBCode and Textile are much easier to secure than raw web input.

posted at 09:53 pm on April 20, 2006 by Edward Yang

23 "Just don't let them"

Well of course you don’t have to let them use real code. You could let them pick between the options you give them. But you could also just not accept their content, or their photos, or their comments..

Like the previous poster said, MySpace sold for many millions of dollars, and it was only because “making profiles pretty” really appeals to teenaged girls and the boys who lust for them. People like to do their own thing.

posted at 01:22 am on April 21, 2006 by thomas lackner

24 Re: 23 "Just Don't Let Them"

“But you could also just not accept their content, or their photos, or their comments..”

I think that’s a totally different ball game – not accepting customisation through real code has nothign to do with censorship.

I entirely agree that making “pretty profiles” is the attraction of MySpace and its ilk, but as it’s been mentioned, there are much more secure ways of going about it – allowing real-code submission is just asking for too much trouble.

posted at 02:31 pm on April 21, 2006 by Ross Clutterbuck

25 Worth Knowing

this is important stuff, blogging communities allow other users to view their code, but for web 2.0 and secure programs its important to know that the code can be hacker-proof.

posted at 03:03 pm on April 21, 2006 by Jim Callender

26 Watch out for IE's expression keyword in CSS

As well as allowing javascript URLs in CSS, IE also has a “feature” that lets properties be set using expressions, written in (of course) JavaScript. So you can use:

<body style=“color: [removed]alert(‘hi’));”>…</body>

Just something else to watch out for…

posted at 03:47 pm on April 21, 2006 by Michael O'Brien

27 A Big Mistake

I think MySpace giving their users freedom to edit their templates CSS was a huge mistake. Sure, the default theme is ugly but the things that the majority of people do to their MySpaces is much worse. They just destroy them beyond any level of readability or sanity.

MySpace would be nicer place without theme editing. Pure Volume is proof of this.

posted at 09:41 am on April 24, 2006 by Jim Whimpey

28 To personalize

Your article makes a good case for the security codes necessary to hold back abuse of the system. The system still needs to be refined so that legitimate users are not kept out in the same stroke we use to stop abusers. Thanks for raising the topic so well…

posted at 12:54 pm on April 24, 2006 by Ellen Weber

29 One other thing that's missing

I know the article is about XSS, but the example used points to another problem with a lot of these types of sites, not using a validation scheme for the ‘voting’ script, or scripts that control other types of changes.

A simple check for a valid random unique id in voteOnAuser.php would kill any chance of a XSS vulnerability such as this from having any effect because the ‘vote’ would automaticaly be rejected.

And a big applause to #28, if you’re going to allow customization then by all means have complete control over the code yourself.

posted at 04:27 am on April 25, 2006 by Edward Vermillion

30 Two strategies

I sure there are two clear strategies to prevent XSS attacks:
1. Format using tidy and then remove anything unexpected – leave only basic set of tags.

2. Separate administrating and displaying markup content on different sites (like blogger.com does).

Correct me if I wrong.

posted at 12:29 am on April 27, 2006 by Alexander Netkachev