31 A typo in the short list

Instead of one should use ;) Makes things valid as well :D

posted at 11:26 am on April 27, 2006 by Priit Laes

32 Picking your poison

All that customization of web application reminds me of an article on network security.

Pick your poison, do you want to restrict the user to a know and limited set of features or chase all the hacks that people will find?

With the first approach you define and design it once; the other approach is a never ending race to ensure your application is safe from the known tricks and hacks.

Ok, it takes more time to develop the white list; most certainly feels more restrictive from a user standpoint but I guess it depends if you prefer to appear on the front page because you’re application is great or because somebody took control of other people’s account.

Maybe I’m paranoid, but I’d rather spend time expending my applications then fixing my damaged reputation.

Cheers!

posted at 10:34 am on April 28, 2006 by Jean-Marc Lagace

33 Someone should Tell Craig Newmark

http://kevin.mesiab.com/wordpress/index.php/cragslist-vulnerability/

Apparently they need to heed the message. ;) At the time of writing, this hole has not been patched.

posted at 01:58 am on May 8, 2006 by Kevin Mesiab

34 Untitled

The ad hoc “tricks� the article prescribes can fall victim to clever attackers. For instance, if you were to use str_replace(‘javascript’, ’’, $html) your script would still be
www.replicahours.com vulnerable to javasjavascriptcript (this is documented in the XSS cheatsheet posted above, excellent reading for anybody interested in HTML validation).

posted at 01:44 pm on May 8, 2006 by bob sfog

35 Untitled

Disagreed.

posted at 09:16 pm on June 17, 2006 by Daniel Lynch